Winos4.0 malware disguised as KakaoTalk installation file

ASEC observed an SEO-poisoning campaign that placed fake KakaoTalk download pages at the top of search results to distribute a malicious NSIS installer which decrypts and drops Verifier.exe and AutoRecoverDat.dll; these components load shellcode (GPUCache.xml/GPUCache2.xml) that implants Winos4.0 with capabilities including screen capture, information collection, file/process control, AV-evasion, scheduled-task persistence, and remote in-memory execution. The report provides IOCs (multiple MD5 hashes, URLs, and C2 IPs 119.28.70.225 and 192.238.129.47), timeline (distribution began March 9), and technical indicators of the loader/payload behavior.