Hackers Use Fake VPN and Browser NSIS Installers to

The campaign was first detected by Rapid7 in February 2025. It involves the use of a multi-stage, memory-resident loader called Catena. Catena uses embedded shellcode and configuration switching logic to stage.