Cybersecurity researchers warn that the Winos 4.0 command-and-control (C2) framework, derived from Gh0st RAT, is spreading via gaming-related apps like installation tools and optimization utilities, targeting Chinese-speaking users through black hat SEO and social media channels. Analysis by Fortinet reveals a multi-stage infection process that starts with a fake BMP file from a remote server, which decodes into a DLL, sets up an execution environment, and downloads additional payloads, including a binary named "Student Registration System" DLL, hinting at possible educational targets. Winos 4.0’s capabilities enable extensive system control, data theft, and backdoor access, similar to frameworks like Cobalt Strike. Meanwhile, AhnLab Security found a related campaign using fake gambling game sites to spread WrnRAT, allowing attackers to capture gameplay and exploit users financially.