Researchers at Trend Micro have uncovered a new cyber threat group they dubbed “Void Arachne,” which is targeting Chinese-speaking users with malicious Windows Installer (MSI) files, which contain legitimate software installers for AI and other popular software.
The group is leveraging compromised MSI files embedded with various applications, including nudifiers and deepfake pornography-generating software, as well as AI-based voice and facial technologies. The campaign uses SEO poisoning and disseminates malware via social media and messaging platforms.
Given the strict government controls in China, there is heightened public interest in VPN services to evade the Great Firewall and bypass online censorship. Void Arachne exploits this interest by distributing malicious MSI files that include legitimate software installers for AI tools, Chinese language packs, Google Chrome, and Chinese-marketed VPNs like LetsVPN and QuickVPN. These MSIs also install a backdoor, Winos 4.0, during the installation process.
Void Arachne uses multiple distribution vectors, such as SEO poisoning and the Telegram channels distributing malicious content.
The threat actors set up a web infrastructure to deploy spear-phishing links disguised as legitimate software installers. These links are optimized to rank high in search engine results, leading unsuspecting users to download the malicious files.
The campaign also utilizes Chinese-language-themed Telegram channels to distribute malicious MSI files and ZIP archives. These channels, some with tens of thousands of users, promote fake software tools and AI applications, including nonconsensual deepfake pornography and face-swapping software.
The malicious MSI files appear as genuine software installers to the victim but secretly install additional malware. During the installation process, the MSI files drop a loader that decrypts and executes a second-stage payload in memory. This payload launches a Visual Basic Script (VBS) to establish persistence and trigger further malicious activities. The malware installs a Winos backdoor during the installation process, which could lead to a full system compromise.
Written in C++, the backdoor facilitates various malicious actions, such as file management, distributed denial of service (DDoS) attacks, webcam control, screenshot capture, microphone recording, keylogging, and remote shell access.