Cybersecurity researchers have uncovered a sophisticated malware campaign by the Void Arachne group, targeting Chinese-speaking users with malicious Windows Installer (MSI) files.
Void Arachne targets Chinese-speaking users using SEO poisoning and popular messaging apps like Telegram. According to TrendMicro blogs, the group distributes malicious MSI files containing nudifiers and deepfake pornography software, exploiting public interest in AI technologies.
These compromised files masquerade as legitimate software installers, including language packs, VPNs, and AI-powered applications.
Hackers Use Windows Installer (MSI) Files
The malicious MSI files, like letvpn.msi, utilize Dynamic Link Libraries (DLLs) during installation for tasks such as property management, task scheduling, and firewall configuration.
The MSI file also establishes scheduled tasks and configures firewall rules to whitelist both inbound and outbound traffic related to the malware, ensuring persistent and uninterrupted operation.
| File Name | Size | MD5 Hash | Parent Directory |
| 1 | 9996288 | D82362C15DDB7206010B8FCEC7F611C5 | C:\Users%USERNAME%\ |
| 792258.vbs | 2405 | CD95B5408531DC5342180A1BECE74757 | C:\Users%USERNAME%\ |
| LetsPRO.exe | 40960 | FE7AEDAB70A5A58EFB84E6CB988D67A4 | C:\Users%USERNAME%\ |
Void Arachne has also advocated AI technologies for virtual kidnapping and sextortion schemes, promoting voice-altering and face-swapping AI applications through Telegram channels. The group distributes infected modifier applications that generate nonconsensual deepfake pornography, frequently utilized in sextortion operations.
Void Arachne utilizes several initial access vectors to distribute malware, including SEO poisoning and spear-phishing links. These links are hosted on attacker-controlled websites disguised as legitimate sites, ranking prominently on search engines. Additionally, the group distributes malicious MSI files via Chinese-language-themed Telegram channels, further expanding their potential infection surface.
| Plugin Name in Chinese | Plugin Name in English | SHA256 Hash |
| 删除360急速安全账号密码.dll | Delete 360 Speed Security Account Password.dll | 03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3 |
| 提权-EnableDebugPrivilege.dll | Elevate Privileges-EnableDebugPrivilege.dll | 11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f |
| 体积膨胀.dll | Volume Expansion.dll | 186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f |
Recommendation
The widespread distribution of these malicious MSI files represents a serious danger to both organizations and individuals. Malware infections can result in compromised systems, data breaches, and financial harm. Trend Micro offers extensive resources to educate the community on recognizing, preventing, and responding to sextortion attacks. It is crucial for victims to report incidents to appropriate authorities, such as the Internet Crime Complaint Center (IC3).
Void Arachne’s campaign underscores the increasing sophistication of cyber threats, highlighting the importance of robust cybersecurity measures. Individuals and organizations can safeguard against such malicious campaigns by remaining vigilant and implementing comprehensive security practices.
Leave A Comment