Winos RAT Malware

Chinese-language users have been targeted by a focused SEO-poisoning campaign that substitutes real software download pages with convincing fakes. Attackers pushed malicious installers through manipulated search rankings and near-identical domains, making it easy for victims to grab what looks like legitimate software but actually deploys remote-access malware.

HOW THE CAMPAIGN WORKS

The threat actors boosted spoofed pages in search results by abusing SEO plugins and registering lookalike domains that visually mimic legitimate vendors. They relied on subtle character swaps and fluent Chinese copy to fool people into clicking. Once a victim lands on a trojanized download page, the installation package contains both the expected application and a hidden malicious component. This blend makes detection by casual users unlikely.

TARGETS AND TIMELINE

Researchers in August 2025 discovered that the campaign primarily lures users searching for popular productivity and communication tools. Examples of search targets used to bait victims include:

DeepL Translate

Google Chrome

Signal

Telegram

WhatsApp

WPS Office

MALWARE FAMILIES INVOLVED

The attacks led to the deployment of variants related to Gh0st RAT, notably HiddenGh0st and Winos (also known as ValleyRAT). Winos has been attributed to a cybercrime cluster tracked under many aliases — Silver Fox, SwimSnake, The Great Thief of Valley (Valley Thief), UTG-Q-1000, and Void Arachne — and is believed to have been active since at least 2022.

THE DELIVERY CHAIN — technical breakdown

A small JavaScript file labeled nice.js orchestrates the multi-step delivery. The script repeatedly fetches JSON responses: an initial download link returns JSON containing a secondary link, that second link returns another JSON payload, which finally redirects to the malicious installer URL. This layered redirection both obfuscates the final payload location and complicates simple detection.

Inside the installer:

A malicious DLL named EnumW.dll performs a set of anti-analysis checks and then extracts a second DLL (vstdlib.dll). The extraction and behavior of vstdlib.dll are designed to inflate memory usage and slow analysis tooling, hampering automated or manual inspection.

The second DLL unpacks and launches the main payload only after probing the system for the presence of a specific antivirus product. If that AV component is detected, the malware uses TypeLib COM hijacking to establish persistence and eventually execute a Windows binary named insalivation.exe.

If the antivirus is absent, the malware instead creates a Windows shortcut that points to the same executable to achieve persistence.

FINAL PAYLOAD: SIDELoadING AIDE.dll

The ultimate aim is to sideload a DLL called AIDE.dll. Once active, AIDE.dll implements three primary operational capabilities:

• Command-and-Control (C2): encrypted communications with a remote server for instructions and data exchange.
• Heartbeat: periodic collection of system and victim information, including enumerating running processes and checking them against a hard-coded list of security products.
• Monitor: confirmation of persistence, user-activity tracking, and regular beaconing back to the C2.

ADDITIONAL CAPABILITIES AND PLUGINS

The C2 module supports remote commands to fetch extra plugins. Known capabilities include keylogging, clipboard capture, screen monitoring, and tools designed to hijack cryptocurrency wallets — specifically wallets holding Ethereum and Tether assets. Several plugins observed in these incidents appear to be reused components from the Winos framework and are capable of continuous screen surveillance.

WHY THE INFECTION IS HARD TO SPOT

Because the installer bundles the legitimate application alongside the malicious payload, a user downloading what looks like a trusted program may never notice anything amiss. The attackers weaponized even high-ranking search results, which increases the chance that well-intentioned users will install the compromised packages.

DEFENSE RECOMMENDATIONS

• Always verify domain names carefully before downloading software; look for subtle character substitutions and mismatched URLs.
• Prefer official vendor sites or verified app stores rather than downloads from search results.
• Use endpoint protection that inspects installer behavior (not just file signatures) and enable protection against DLL sideloading and COM hijacking.
• Monitor for unusual process memory usage and unexpected unpacking/extraction behavior from installer components.

CONCLUSION

This campaign shows how attackers combine SEO manipulation, lookalike domains, multi-stage redirection, and sophisticated DLL-based evasion to push Gh0st-RAT–family malware to Chinese-speaking users. The mix of legitimate binaries and hidden payloads makes vigilance essential: verify sources, scrutinize domains, and use defenses that look at runtime behavior as well as file reputation.