Hackers Use Windows Installer (MSI) Files to Spread Malware

Home/Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update/Hackers Use Windows Installer (MSI) Files to Spread Malware

Hackers Use Windows Installer (MSI) Files to Spread Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign by the Void Arachne group, targeting Chinese-speaking users with malicious Windows Installer (MSI) files.

Void Arachne targets Chinese-speaking users using SEO poisoning and popular messaging apps like Telegram. According to TrendMicro blogs, the group distributes malicious MSI files containing nudifiers and deepfake pornography software, exploiting public interest in AI technologies.

These compromised files masquerade as legitimate software installers, including language packs, VPNs, and AI-powered applications.

Hackers Use Windows Installer (MSI) Files

The malicious MSI files, like letvpn.msi, utilize Dynamic Link Libraries (DLLs) during installation for tasks such as property management, task scheduling, and firewall configuration.

The MSI file also establishes scheduled tasks and configures firewall rules to whitelist both inbound and outbound traffic related to the malware, ensuring persistent and uninterrupted operation.

File NameSizeMD5 HashParent Directory

Void Arachne has also advocated AI technologies for virtual kidnapping and sextortion schemes, promoting voice-altering and face-swapping AI applications through Telegram channels. The group distributes infected modifier applications that generate nonconsensual deepfake pornography, frequently utilized in sextortion operations.

Void Arachne utilizes several initial access vectors to distribute malware, including SEO poisoning and spear-phishing links. These links are hosted on attacker-controlled websites disguised as legitimate sites, ranking prominently on search engines. Additionally, the group distributes malicious MSI files via Chinese-language-themed Telegram channels, further expanding their potential infection surface.

Plugin Name in ChinesePlugin Name in EnglishSHA256 Hash
删除360急速安全账号密码.dllDelete 360 Speed Security Account Password.dll03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3
提权-EnableDebugPrivilege.dllElevate Privileges-EnableDebugPrivilege.dll11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f
体积膨胀.dllVolume Expansion.dll186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f


The widespread distribution of these malicious MSI files represents a serious danger to both organizations and individuals. Malware infections can result in compromised systems, data breaches, and financial harm. Trend Micro offers extensive resources to educate the community on recognizing, preventing, and responding to sextortion attacks. It is crucial for victims to report incidents to appropriate authorities, such as the Internet Crime Complaint Center (IC3).

Void Arachne’s campaign underscores the increasing sophistication of cyber threats, highlighting the importance of robust cybersecurity measures. Individuals and organizations can safeguard against such malicious campaigns by remaining vigilant and implementing comprehensive security practices.

By | 2024-06-19T21:44:19+05:30 June 19th, 2024|Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!