New hacker group targets Chinese users with compromised deepfake porn software, malicious VPN installers

A previously unknown hacker group dubbed Void Arachneis is targeting Chinese-speaking users with malware embedded inside tools, including virtual private network (VPN) installers, deepfake pornography-generating software and the simplified Chinese version of Google Chrome.

When victims install these tools on their devices, they unknowingly get infected with Winos malware, which hackers use to remotely control a compromised computer by capturing screens, controlling webcams, recording microphones, and conducting distributed denial-of-service (DDoS) attacks.

Researchers at the cybersecurity firm Trend Micro discovered the campaign in early April, saying it could have potentially reached “a substantial Chinese-speaking demographic as well as the broader East Asian community.” They didn’t mention if Void Arachne is a state-sponsored threat actor or if it is financially motivated.

The hackers use search engine (SEO) poisoning tactics to manipulate search engine results to rank malicious websites higher than legitimate ones, using phishing links disguised as legitimate software installers to lure potential victims. 

Researchers have also discovered Telegram channels, some with tens of thousands of Chinese-speaking users, advertising malicious packages containing VPN-related software or artificial intelligence tools used to generate porn, alter voices, or swap faces.

Abusing VPN technology is common among hackers targeting Chinese users, according to the report. 

“Due to strict government control, VPN services and public interest in this technology have notably increased. This has, in turn, enhanced threat actors' interest in exploiting the heightened public interest in software that can evade the Great Firewall and online censorship,” researchers said.

Earlier this week, researchers at another cybersecurity firm, Cyble, discovered a campaign targeting Chinese citizens with QR code phishing attacks. According to the report, the hackers were using fake official documents embedded with the codes, redirecting users to fraudulent websites designed to harvest sensitive data.

Researchers at LevelBlue Labs also discovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns and infects Chinese organizations. It was first observed in a campaign in late April 2024 targeting specific unnamed entities in China.