Winos4.0 “Online Module” Staging Component Used in
CleverSoar Campaign
By eSentire Threat Response Unit (TRU)
Archived: 2026-04-05 20:19:26 UTC
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters
and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the
Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced
Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We
outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In late November 2024, the eSentire Threat Response Unit (TRU) identified an ongoing campaign involving a
new and highly evasive malware installer dubbed “CleverSoar” by Rapid7 Labs. CleverSoar has been found
targeting primarily Chinese and Vietnamese-speaking users via malicious installer packages distributed through
poisoned web search results. The installer package deploys the advanced post-exploitation toolkit Winos4.0
framework and the Nidhogg rootkit.
As previously reported by Rapid7 Labs, a custom backdoor was identified, however we have found this is in fact a
staging component of the Winos4.0 framework named “上线模块” which translates to “Online Module”.
Re-engineered from Gh0strat, Winos4.0 framework integrates several modular components and has become an
increasingly prevalent threat targeting Windows users. The control panel for Winos4.0 features a vast amount of
functionality, enabled by numerous plugins and can be seen in Figure 1 below.
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 1 of 11

Figure 1 - Winos4.0 control panel
Upon execution, the Winos4.0 stager parses a hard-coded configuration that is slightly obfuscated (reversed). Each
configuration value is delimited by the “|” character (Figure 2).
Figure 2 - Stager config
The following table lists the configuration values that were identified in our analysis.
Key Value Description
p1 ti[.]twilight[.]zip First C2 address
o1 8000 First C2 port
t1 0 (UDP) First C2 communication protocol
p2 ti[.]twilight[.]zip Second C2 address
o2 8000 Second C2 port
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 2 of 11

t2 0 (UDP) Second C2 communication protocol
p3 127.0.0.1 Third C2 address
o3 80 Third C2 port
t3 1 (TCP) Third C2 communication protocol
dd 1 Execution delay in seconds
cl 1 C2 communication interval in seconds
fz 默认 “default” Group ID
bb 1.0 Version
bz 2024.11.18 Comment (Generation date)
jp 1 Keylogger
bh 0 End bluescreen
ll 0 Anti-traffic Monitoring
dl 0 Entrypoint
sh 0 Process Daemon
kl 0 Process Hollowing
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 3 of 11

bd 1 Unknown
If the registry value “HKEY_CURRENT_USER\Console\IpDate” is present, it is parsed and used rather than the
hard-coded configuration described above (Figure 3).
Figure 3 - Update config if in registry
The stager then resolves the main C2 domain (p1) via the Windows API gethostname() and connects to the
resolved address over UDP port 8000 using sockets. It is worth noting that TCP is also supported by the stager and
packets look very similar.
Additionally, if after so many attempts communication fails with the main C2 server, the second and third servers
are tried.
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 4 of 11

Figure 4 - Resolve C2 and connect
After the C2 is resolved and a connection is established over the port specified in the config (8000), the send
function transmits the encryption key to the C2. This encryption key secures communications between the threat
actor server and victim machine (Figure 4).
The first four bytes of the encryption key stream stem from a call to the Windows API timeGetTime(). The
remaining bytes are hard-coded and vary between samples.
Figure 5 - Exchange encryption key with C2
The algorithm used to encrypt/decrypt communication can be seen below in Figure 6, where each byte of the
encryption key is transformed by a modulus with 0x1C8 and 0x36 is added to the resulting byte, then the byte is
XOR’d with each byte of the request or response to encrypt/decrypt.
Figure 6 - Encryption/decryption algorithm
The following python code can be utilized to encrypt and decrypt communications with the C2 (sample response
data and encryption key are included). Associated python code is available for download here.
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 5 of 11

The next packet sent from the C2 to the stager is an MD5 of the final stage (Login Module).
Figure 7 - C2 response containing Login Module MD5
Upon decoding the encrypted data using the python script, we can see the MD5
“c9cb53ecfed9c0deec10651b37c64103” of the Login Module is returned in the buffer (wide string formatted).
Figure 8 - Decrypted MD5 from C2
Next, the stager sends a request to the C2 to retrieve the Login Module “登录模块.dll”. The response has been
decrypted and is shown below:
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 6 of 11

Figure 9 – Request Login Module
After receiving it, the stager deletes the registry key/value HKEY_LOCAL_MACHINE\Software\IpDates_info
via the Windows API RegDeleteW() prior to executing the Login Module. Note, this fails in the event the stager is
running without elevated privileges. The registry value is then updated with the latest configuration information,
including C2 addresses/ports, version, comment, etc.
The Login Module’s entrypoint is then called as shown in the last line of the following figure. Although not
configured to do so in this instance, the stager also supports executing the Login Module via the Process
Hollowing technique [T1055.012] against the legitimate Windows system binary,
“C:\Windows\System32\tracerpt.exe”.
Figure 10 - Delete/replace config and execute Login Module
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 7 of 11

Figure 11 - Process hollowing support in stager
The following table contains a list of all of the registry keys used by the stager and their associated purpose.
Registry Key\Value Description
HKEY_CURRENT_USER\Console\IpDate
Config storage, used in place
of hard-coded config
HKEY_CURRENT_USER\Software\IpDates_info Config storage for final stage
HKEY_CURRENT_USER\Console\0\d33f351a4aeea5e608853d1a56661059
Storage for Login module
(32-bit)
HKEY_CURRENT_USER\Console\1\d33f351a4aeea5e608853d1a56661059
Storage for Login module
(64-bit)
What did we do?
Our team of 24/7 SOC Cyber Analysts isolated the affected host to contain the infection.
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 8 of 11

We communicated what happened with the customer and helped them with remediation efforts.
What can you learn from this TRU Positive?
The CleverSoar campaign is a sophisticated threat targeting Chinese and Vietnamese speaking users that is
primarily distributed via driver assistant and game optimization applications in web search results.
Across the threat landscape, MSI installers have become increasingly prevalent for initial access,
highlighting the need to monitor these file types more closely.
Recommendations from the Threat Response Unit (TRU):
Ensure your organization has a corporate policy for acceptable use of corporate devices which prohibits the
use of any unauthorized third-party software.
Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain
threats.
Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your
employees on SEO Poisoning attacks [T1608.006].
Indicators of Compromise
You can access the Indicators of Compromise here.
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next
Level MDR, connect with an eSentire Security Specialist now.
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 9 of 11

GET STARTED
ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your
organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7
Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and
works as an extension of your security team to continuously improve our Managed Detection and Response
service. By providing complete visibility across your attack surface and performing global threat sweeps and
proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending
your organization against known and unknown threats.
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 10 of 11

Source: https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Page 11 of 11