NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign

SUMMARY :

A malware campaign using fake software installers to deliver Winos v4.0, a memory-resident malware, has been tracked throughout 2025. The campaign, dubbed Catena, employs trojanized NSIS installers, reflective DLL loading, and shellcode-embedded INI files to evade detection. It stages payloads entirely in memory, connecting to attacker-controlled servers mainly in Hong Kong. The operation appears focused on Chinese-speaking environments and shows signs of long-term planning by a capable threat group. The infection chain involves multiple stages, including initial NSIS installers, first-stage loaders, and second-stage payloads, ultimately delivering the Winos v4.0 stager. The campaign has evolved over time, adapting its tactics to avoid detection while maintaining core infrastructure and execution logic.

OPENCTI LABELS :

nsis,winos,chinese-speaking targets,memory-resident malware,winos v4.0,catena loader,reflective dll injection,trojanized installers,srdi


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign