{
	"id": "6e14a9fe-44b1-4707-983e-39a1b3947b67",
	"created_at": "2026-04-06T00:19:38.060764Z",
	"updated_at": "2026-04-10T03:21:33.032429Z",
	"deleted_at": null,
	"sha1_hash": "feab389360a6ae9be7cf70a1f266ba4182f5ebc3",
	"title": "Winos4.0 “Online Module” Staging Component Used in CleverSoar Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 784828,
	"plain_text": "Winos4.0 “Online Module” Staging Component Used in\r\nCleverSoar Campaign\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 20:19:26 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn late November 2024, the eSentire Threat Response Unit (TRU) identified an ongoing campaign involving a\r\nnew and highly evasive malware installer dubbed “CleverSoar” by Rapid7 Labs. CleverSoar has been found\r\ntargeting primarily Chinese and Vietnamese-speaking users via malicious installer packages distributed through\r\npoisoned web search results. The installer package deploys the advanced post-exploitation toolkit Winos4.0\r\nframework and the Nidhogg rootkit.\r\nAs previously reported by Rapid7 Labs, a custom backdoor was identified, however we have found this is in fact a\r\nstaging component of the Winos4.0 framework named “上线模块” which translates to “Online Module”.\r\nRe-engineered from Gh0strat, Winos4.0 framework integrates several modular components and has become an\r\nincreasingly prevalent threat targeting Windows users. The control panel for Winos4.0 features a vast amount of\r\nfunctionality, enabled by numerous plugins and can be seen in Figure 1 below.\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 1 of 11\n\nFigure 1 - Winos4.0 control panel\r\nUpon execution, the Winos4.0 stager parses a hard-coded configuration that is slightly obfuscated (reversed). Each\r\nconfiguration value is delimited by the “|” character (Figure 2).\r\nFigure 2 - Stager config\r\nThe following table lists the configuration values that were identified in our analysis.\r\nKey Value Description\r\np1 ti[.]twilight[.]zip First C2 address\r\no1 8000 First C2 port\r\nt1 0 (UDP) First C2 communication protocol\r\np2 ti[.]twilight[.]zip Second C2 address\r\no2 8000 Second C2 port\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 2 of 11\n\nt2 0 (UDP) Second C2 communication protocol\r\np3 127.0.0.1 Third C2 address\r\no3 80 Third C2 port\r\nt3 1 (TCP) Third C2 communication protocol\r\ndd 1 Execution delay in seconds\r\ncl 1 C2 communication interval in seconds\r\nfz 默认 “default” Group ID\r\nbb 1.0 Version\r\nbz 2024.11.18 Comment (Generation date)\r\njp 1 Keylogger\r\nbh 0 End bluescreen\r\nll 0 Anti-traffic Monitoring\r\ndl 0 Entrypoint\r\nsh 0 Process Daemon\r\nkl 0 Process Hollowing\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 3 of 11\n\nbd 1 Unknown\r\nIf the registry value “HKEY_CURRENT_USER\\Console\\IpDate” is present, it is parsed and used rather than the\r\nhard-coded configuration described above (Figure 3).\r\nFigure 3 - Update config if in registry\r\nThe stager then resolves the main C2 domain (p1) via the Windows API gethostname() and connects to the\r\nresolved address over UDP port 8000 using sockets. It is worth noting that TCP is also supported by the stager and\r\npackets look very similar.\r\nAdditionally, if after so many attempts communication fails with the main C2 server, the second and third servers\r\nare tried.\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 4 of 11\n\nFigure 4 - Resolve C2 and connect\r\nAfter the C2 is resolved and a connection is established over the port specified in the config (8000), the send\r\nfunction transmits the encryption key to the C2. This encryption key secures communications between the threat\r\nactor server and victim machine (Figure 4).\r\nThe first four bytes of the encryption key stream stem from a call to the Windows API timeGetTime(). The\r\nremaining bytes are hard-coded and vary between samples.\r\nFigure 5 - Exchange encryption key with C2\r\nThe algorithm used to encrypt/decrypt communication can be seen below in Figure 6, where each byte of the\r\nencryption key is transformed by a modulus with 0x1C8 and 0x36 is added to the resulting byte, then the byte is\r\nXOR’d with each byte of the request or response to encrypt/decrypt.\r\nFigure 6 - Encryption/decryption algorithm\r\nThe following python code can be utilized to encrypt and decrypt communications with the C2 (sample response\r\ndata and encryption key are included). Associated python code is available for download here.\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 5 of 11\n\nThe next packet sent from the C2 to the stager is an MD5 of the final stage (Login Module).\r\nFigure 7 - C2 response containing Login Module MD5\r\nUpon decoding the encrypted data using the python script, we can see the MD5\r\n“c9cb53ecfed9c0deec10651b37c64103” of the Login Module is returned in the buffer (wide string formatted).\r\nFigure 8 - Decrypted MD5 from C2\r\nNext, the stager sends a request to the C2 to retrieve the Login Module “登录模块.dll”. The response has been\r\ndecrypted and is shown below:\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 6 of 11\n\nFigure 9 – Request Login Module\r\nAfter receiving it, the stager deletes the registry key/value HKEY_LOCAL_MACHINE\\Software\\IpDates_info\r\nvia the Windows API RegDeleteW() prior to executing the Login Module. Note, this fails in the event the stager is\r\nrunning without elevated privileges. The registry value is then updated with the latest configuration information,\r\nincluding C2 addresses/ports, version, comment, etc.\r\nThe Login Module’s entrypoint is then called as shown in the last line of the following figure. Although not\r\nconfigured to do so in this instance, the stager also supports executing the Login Module via the Process\r\nHollowing technique [T1055.012] against the legitimate Windows system binary,\r\n“C:\\Windows\\System32\\tracerpt.exe”.\r\nFigure 10 - Delete/replace config and execute Login Module\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 7 of 11\n\nFigure 11 - Process hollowing support in stager\r\nThe following table contains a list of all of the registry keys used by the stager and their associated purpose.\r\nRegistry Key\\Value Description\r\nHKEY_CURRENT_USER\\Console\\IpDate\r\nConfig storage, used in place\r\nof hard-coded config\r\nHKEY_CURRENT_USER\\Software\\IpDates_info Config storage for final stage\r\nHKEY_CURRENT_USER\\Console\\0\\d33f351a4aeea5e608853d1a56661059\r\nStorage for Login module\r\n(32-bit)\r\nHKEY_CURRENT_USER\\Console\\1\\d33f351a4aeea5e608853d1a56661059\r\nStorage for Login module\r\n(64-bit)\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts isolated the affected host to contain the infection.\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 8 of 11\n\nWe communicated what happened with the customer and helped them with remediation efforts.\r\nWhat can you learn from this TRU Positive?\r\nThe CleverSoar campaign is a sophisticated threat targeting Chinese and Vietnamese speaking users that is\r\nprimarily distributed via driver assistant and game optimization applications in web search results.\r\nAcross the threat landscape, MSI installers have become increasingly prevalent for initial access,\r\nhighlighting the need to monitor these file types more closely.\r\nRecommendations from the Threat Response Unit (TRU):\r\nEnsure your organization has a corporate policy for acceptable use of corporate devices which prohibits the\r\nuse of any unauthorized third-party software.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain\r\nthreats.\r\nImplement a Phishing and Security Awareness Training (PSAT) program that educates and informs your\r\nemployees on SEO Poisoning attacks [T1608.006].\r\nIndicators of Compromise\r\nYou can access the Indicators of Compromise here.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 9 of 11\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 10 of 11\n\nSource: https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nhttps://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign"
	],
	"report_names": [
		"winos4-0-online-module-staging-component-used-in-cleversoar-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434778,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/feab389360a6ae9be7cf70a1f266ba4182f5ebc3.pdf",
		"text": "https://archive.orkl.eu/feab389360a6ae9be7cf70a1f266ba4182f5ebc3.txt",
		"img": "https://archive.orkl.eu/feab389360a6ae9be7cf70a1f266ba4182f5ebc3.jpg"
	}
}