Social media fuels Winos4.0 campaign against Chinese gamers

Chinese-speaking gamers are at risk from a new malicious campaign exploiting a dangerous framework known as Winos4.0. Cybercriminals behind this scheme are distributing the malware through popular platforms such as social media and messaging apps, employing campaigns with names like Silver Fox and Void Arachne.

According to security researchers, these campaigns use deceptive installation tools, speed boosters, and optimisation utilities designed for gaming applications to trick users into downloading malicious software.

The Winos4.0 framework is a sophisticated, modular tool that has been rebuilt from the Gh0strat malware and adapted for a wide range of malicious tasks. This latest version provides attackers with comprehensive functionality and a stable architecture that enables control over multiple online endpoints, making it an ideal tool for orchestrating targeted attacks. Once deployed, the framework enables cybercriminals to manage and manipulate infected devices, creating significant risks for users.

 

Several studies have shown that the Winos4.0 campaign specifically targets Chinese-speaking users.

 

The attackers are using a combination of search engine optimisation (SEO), social media engagement, and popular messaging platforms like Telegram to maximise the reach and effectiveness of their campaigns. The malware’s deployment process involves distributing links and downloads that appear credible but contain malicious payloads hidden within game-related utilities.

The infection process begins as soon as a user installs one of these compromised applications. Once launched, the application retrieves a fake BMP file from a malicious server (identified as ad59t82g[.]com), which then extracts a DLL file. This DLL is responsible for setting up the malware’s execution environment on the victim’s device, ensuring that the framework can establish a connection back to the attacker’s command-and-control (C2) server.

Through C2 communication and encrypted data transfers, the Winos4.0 framework is able to complete the injection of its malicious payload, granting cybercriminals extensive access to the compromised system. By embedding itself within game-related applications, the malware capitalises on gamers’ trust in popular tools, luring them into downloading it without a second thought. Once installed, the malware provides attackers with deep control over the victim’s device, raising the potential for a wide array of malicious activities.

Cybersecurity experts are urging gamers to exercise caution when downloading applications, particularly those related to gaming enhancements. Users must install software from reliable sources and stay away from suspicious downloads or links in order to protect themselves against such dangers.

The Winos4.0 campaign is an example of the dangers associated with unofficial or unverified downloads, especially within high-target user groups like gamers. As cyber threats evolve, vigilance and cautious downloading practices remain crucial in the fight against malware and other online attacks.