New cyber threat “Void Arachne” targets Chinese users
Trend Micro researchers have identified a new cyber threat cluster named Void Arachne, targeting Chinese-speaking users.
“Void Arachne” threat employs malicious Windows Installer (MSI) files for VPNs to deliver a command-and-control (C&C) framework called Winos 4.0. The campaign also includes compromised MSI files embedded with nudifiers and deepfake pornography-generating software, leveraging AI voice and facial technologies.
The attackers use Search Engine Optimization (SEO) poisoning tactics, social media, and messaging platforms to distribute malware. They advertise popular software, such as Google Chrome, LetsVPN, QuickVPN, and a Telegram language pack for Simplified Chinese, to spread Winos. Backdoored installers are propagated on Chinese-themed Telegram channels, using links surfaced via black hat SEO tactics to point to dedicated infrastructure set up by the adversary.
The campaign’s MSI installers and ZIP archives, hosted on messaging platforms, pose a significant attack surface by modifying firewall rules and dropping a loader that decrypts and executes a second-stage payload. This payload launches a Visual Basic Script (VBS) to establish persistence and deliver the Winos 4.0 C&C framework, which communicates with a remote server.
Winos 4.0, written in C++, is capable of file management, distributed denial of service (DDoS) attacks, disk searches, webcam control, screenshot capture, microphone recording, keylogging, and remote shell access. It features a plugin-based system with 23 components, compiled for both 32- and 64-bit variants, and can be augmented with external plugins.
The core component of Winos also detects security software common in China and acts as the main orchestrator, loading plugins, clearing system logs, and downloading additional payloads. This campaign exploits the heightened public interest in VPN services and software to bypass the Great Firewall of China.
