Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Beware — that new VPN you've found could be infected with malware

Illustration of a laptop with a magnifying glass exposing a beetle on-screen.

Chinese users looking for VPN products, AI tools, and adult content, are being targeted in a new campaign whose goal is to spread a backdoor called Winos.

A new report from Trend Micro claims a new threat cluster, dubbed Void Arachne, is behind the campaign, and the malware can lead to “full system compromise”.

Trend Micro’s researchers said that they discovered this new group in early April 2024 after spotting heightened attacks against Chinese-speaking users. 

Telegram channels and SEO poisoning

To deliver Winos, they did a number of different things. For starters, they created MSI files (Windows Installer Package files used by Windows to install, store, and remove programs) who, at surface, were installing legitimate software. Victims would get Chinese-marketed virtual private network (VPN) solutions such as LetsVPN and QuickVPN, simplified Chinese versions of Google Chrome, zh-CN (Simplified Chinese) language packs, and more, but with these programs would come bundled Winos, too.

Furthermore, the threat actors were also creating nudifiers (if you’re unfamiliar with the term, a "nudifier" is a piece of software that can manipulate images to make subjects appear nude), and distributing deepfake pornography-generating AI software.

When it comes to advertising this software, Void Arachne did two things - took to Telegram, and poisoned search engine results. 

During the campaign, Trend Micro’s researchers said they observed several Telegram channels being used to share the malicious installer files. 

“We also saw attacker-controlled web servers that distribute malicious files through search engine optimization (SEO) poisoning attacks,” they said. 

When searching for a keyword on Google, the search engine will sort its results based on a number of factors, including how many articles used a specific link as a source of information. So, the attackers would host the malware on a website, and then generate numerous articles and blog posts linking back to that website, essentially tricking Google into thinking the site has authority. 

Google would then show that site on its Search Engine Results Page (SERP), basically serving their users malware.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.