EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public

Hackers increasingly use Winos4.0 post-exploitation kit in attacks

0
Share:

Hackers are increasingly targeting Windows users with the malicious Winos4.0 framework, distributed via seemingly benign game-related apps.

The toolkit is the equivalent of Sliver and Cobalt Strike post-exploitation frameworks and it was documented by Trend Micro this summer in a report on attacks against Chinese users.

At the time, a threat actor tracked as Void Arachne/Silver Fox lured victims with offers of various software (VPNs, Google Chrome browser) modified for the Chinese market that bundled the malicious component.

A report today from cybersecurity company Fortinet indicates an evolution in the activity, with hackers now relying on games and game-related files in their continued targeting of Chinese users.

Malicious files infecting users with Winos4.0
Malicious files infecting users with Winos4.0
Source: Fortinet

When the seemingly legitimate installers are executed, they download a DLL file from “ad59t82g[.]com” to initiate a multi-step infection process.

In the first stage, a DLL file (you.dll) downloads additional files, sets up the execution environment, and establishes persistence by adding entries in the Windows Registry.

In the second stage, injected shellcode loads APIs, retrieves configuration data, and establishes a connection to the command-and-control (C2) server.

In the third phase, another DLL (上线模块.dll) retrieves extra encoded data from the C2 server, stores it in the registry at “HKEY_CURRENT_USER\\Console\\0” and updates the C2 addresses.

Malware modules added onto the Registry
Malware modules added onto the Registry
Source: Fortinet

In the last stage of the attack chain, the login module (登录模块.dll) is loaded, which performs the primary malicious actions:

  • Collects system and environment information (e.g., IP address, OS details, CPU).
  • Checks for anti-virus and monitoring software running on the host.
  • Gathers data on specific cryptocurrency wallet extensions used by the victim.
  • Maintains a persistent backdoor connection to the C2 server, allowing the attacker to issue commands and retrieve additional data.
  • Exfiltrates data after taking screenshots, monitoring for clipboard changes, and stealing documents.
Complete Winos4.0 attack chain
Complete Winos4.0 attack chain
Source: Fortinet

Winos4.0 checks for a variety of security tools on the system, including Kaspersky, Avast, Avira, Symantec, Bitdefender, Dr.Web, Malwarebytes, McAfee, AhnLab, ESET, Panda Security, and the now discontinued Microsoft Security Essentials.

By identifying these processes, the malware determines if it is running in a monitored environment and adjusts its behavior accordingly, or halts execution.

Hackers have continued using the Winos4.0 framework for several months now, and seeing new campaigns emerging is an indication that its role in malicious operations appears to have solidified.

Fortinet describes the framework as a powerful one that can be used to control compromised systems, with functionality similar to Cobalt Strike and Sliver. Indicators of compromise (IoCs) are available in the reports from Fortinet and Trend Micro.

Bill Toulas

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
3:35 am, Jun 29, 2025
weather icon 20°C
L: 19° | H: 20°
clear sky
Humidity: 82 %
Pressure: 1025 mb
Wind: 11 mph W
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 0%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:46 am
Sunset: 9:21 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
19° | 20°°C 0 mm 0% 7 mph 83 % 1025 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
20° | 35°°C 0.2 mm 20% 8 mph 67 % 1022 mb 0 mm/h
Tue Jul 01 10:00 pm
weather icon
22° | 33°°C 0 mm 0% 10 mph 70 % 1017 mb 0 mm/h
Wed Jul 02 10:00 pm
weather icon
17° | 27°°C 1 mm 100% 12 mph 91 % 1018 mb 0 mm/h
Thu Jul 03 10:00 pm
weather icon
14° | 19°°C 1 mm 100% 14 mph 93 % 1026 mb 0 mm/h
Today 4:00 am
weather icon
18° | 20°°C 0 mm 0% 5 mph 82 % 1025 mb 0 mm/h
Today 7:00 am
weather icon
18° | 19°°C 0 mm 0% 5 mph 83 % 1025 mb 0 mm/h
Today 10:00 am
weather icon
22° | 23°°C 0 mm 0% 4 mph 65 % 1025 mb 0 mm/h
Today 1:00 pm
weather icon
28° | 28°°C 0 mm 0% 4 mph 41 % 1025 mb 0 mm/h
Today 4:00 pm
weather icon
30° | 30°°C 0 mm 0% 4 mph 35 % 1023 mb 0 mm/h
Today 7:00 pm
weather icon
28° | 28°°C 0 mm 0% 0 mph 34 % 1021 mb 0 mm/h
Today 10:00 pm
weather icon
25° | 25°°C 0 mm 0% 7 mph 54 % 1022 mb 0 mm/h
Tomorrow 1:00 am
weather icon
22° | 22°°C 0 mm 0% 7 mph 63 % 1022 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€91,498.87
0.03%
Ethereum(ETH)
€2,071.80
0.28%
Tether(USDT)
€0.85
-0.01%
XRP(XRP)
€1.86
-0.40%
Solana(SOL)
€127.66
4.50%
USDC(USDC)
€0.85
-0.01%
Dogecoin(DOGE)
€0.138915
0.30%
Shiba Inu(SHIB)
€0.000009
0.79%
Pepe(PEPE)
€0.000008
2.41%
Risikomonitor
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top