Beware — that new VPN you've found could be infected with malware

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Chinese users looking for VPN products, AI tools, and adult content, are being targeted in a new campaign whose goal is to spread a backdoor called Winos.

A new report from Trend Micro claims a new threat cluster, dubbed Void Arachne, is behind the campaign, and the malware can lead to “full system compromise”.

Trend Micro’s researchers said that they discovered this new group in early April 2024 after spotting heightened attacks against Chinese-speaking users. 

Telegram channels and SEO poisoning

To deliver Winos, they did a number of different things. For starters, they created MSI files (Windows Installer Package files used by Windows to install, store, and remove programs) who, at surface, were installing legitimate software. Victims would get Chinese-marketed virtual private network (VPN) solutions such as LetsVPN and QuickVPN, simplified Chinese versions of Google Chrome, zh-CN (Simplified Chinese) language packs, and more, but with these programs would come bundled Winos, too.

Furthermore, the threat actors were also creating nudifiers (if you’re unfamiliar with the term, a "nudifier" is a piece of software that can manipulate images to make subjects appear nude), and distributing deepfake pornography-generating AI software.

When it comes to advertising this software, Void Arachne did two things - took to Telegram, and poisoned search engine results. 

During the campaign, Trend Micro’s researchers said they observed several Telegram channels being used to share the malicious installer files. 

“We also saw attacker-controlled web servers that distribute malicious files through search engine optimization (SEO) poisoning attacks,” they said. 

When searching for a keyword on Google, the search engine will sort its results based on a number of factors, including how many articles used a specific link as a source of information. So, the attackers would host the malware on a website, and then generate numerous articles and blog posts linking back to that website, essentially tricking Google into thinking the site has authority. 

Google would then show that site on its Search Engine Results Page (SERP), basically serving their users malware.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.