A new threat actor group called Void Arachne is conducting a malware campaign targeting Chinese-speaking users. The group is distributing malicious MSI installer files bundled with legitimate software like AI tools, Chinese language packs, and virtual private network (VPN) clients. During installation, these files also covertly install the Winos 4.0 backdoor, which can fully compromise systems.

Void Arachne Tactics

Researchers from Trend Micro discovered that the Void Arachne group employs multiple techniques to distribute malicious installers, including search engine optimization (SEO) poisoning and posting links on Chinese-language Telegram channels.

• SEO Poisoning: The group set up websites posing as legitimate software download sites. Through SEO poisoning, they pushed these sites to rank highly on search engines for common Chinese software keywords. The sites host MSI installer files containing Winos malware bundled with software like Chrome, language packs, and VPNs. Victims unintentionally infect themselves with Winos, while believing that they are only installing intended software.
• Targeting VPNs: Void Arachne frequently targets Chinese VPN software in their installers and Telegram posts. Exploiting interest in VPNs is an effective infection tactic, as VPN usage is high among Chinese internet users due to government censorship. [caption id="attachment_77950" align="alignnone" width="917"] Source: trendmicro.com[/caption]
• Telegram Channels: In addition to SEO poisoning, Void Arachne shared malicious installers in Telegram channels focused on Chinese language and VPN topics. Channels with tens of thousands of users pinned posts with infected language packs and AI software installers, increasing exposure.
• Deepfake Pornography: A concerning discovery was the group promoting nudifier apps generating nonconsensual deepfake pornography. They advertised the ability to undress photos of classmates and colleagues, encouraging harassment and sextortion. Infected nudifier installers were pinned prominently in their Telegram channels.
• Face/Voice Swapping Apps: Void Arachne also advertised voice changing and face swapping apps enabling deception campaigns like virtual kidnappings. Attackers can use these apps to impersonate victims and pressure their families for ransom. As with nudifiers, infected voice/face swapper installers were shared widely on Telegram.

Winos 4.0 C&C Framework

The threat actors behind the campaign ultimately aim to install the Winos backdoor on compromised systems. Winos is a sophisticated Windows backdoor written in C++ that can fully take over infected machines. The initial infection begins with a stager module that decrypts malware configurations and downloads the main Winos payload. Campaign operations involve encrypted C&C communications that use generated session keys and a rolling XOR algorithm. The stager module then stores the full Winos module in the Windows registry and executes shellcode to launch it on affected systems. [caption id="attachment_77949" align="alignnone" width="699"] Source: trendmicro.com[/caption] Winos grants remote access, keylogging, webcam control, microphone recording, and distributed denial of service (DDoS) capabilities. It also performs system reconnaissance like registry checks, file searches, and process injection. The malware connects to a command and control server to receive further modules/plugins that expand functionality. Several of these external plugins were observed providing functions such as collecting saved passwords from programs like Chrome and QQ, deleting antivirus software and attaching themselves to startup folders.

Concerning Trend of AI Misuse and Deepfakes

Void Arachne demonstrates technical sophistication and knowledge of effective infection tactics through their usage of SEO poisoning, Telegram channels, AI deepfakes, and voice/face swapping apps. One particularly concerning trend observed in the Void Arachne campaign is the mass proliferation of nudifier applications that use AI to create nonconsensual deepfake pornography. These images and videos are often used in sextortion schemes for further abuse, victim harassment, and financial gain. An English translation of a message advertising the usage of the nudifier AI uses the word "classmate," suggesting that one target market is minors:

Just have appropriate entertainment and satisfy your own lustful desires. Do not send it to the other party or harass the other party. Once you call the police, you will be in constant trouble! AI takes off clothes, you give me photos and I will make pictures for you. Do you want to see the female classmate you yearn for, the female colleague you have a crush on, the relatives and friends you eat and live with at home? Do you want to see them naked? Now you can realize your dream, you can see them naked and lustful for a pack of cigarette money.

[caption id="attachment_77953" align="alignnone" width="437"] Source: trendmicro.com[/caption] Additionally, the threat actors have advertised AI technologies that could be used for virtual kidnapping, a novel deception campaign that leverages AI voice-alternating technology to pressure victims into paying ransom. The promotion of this technology for deepfake nudes and virtual kidnapping is the latest example of the danger of AI misuse.  

Researchers that were called to investigate a cyberattack on a large organization in late 2023 have traced the activity to a sophisticated Chinese-linked threat actor group dubbed 'Velvet Ant,' based on tactics and infrastructure. The investigation found that Velvet Ant infiltrated the company’s network at least three years prior to the incident using the remote access trojan PlugX, which granted the threat actors access to sensitive systems across the enterprise environment.

Velvet Ant Campaign Used Evasive Tactics

Researchers from Sygnia disclosed that the attack began with the compromise of the organization's internet-facing F5 BIG-IP appliances, which were running on vulnerable OS versions. These appliances usually occupy a trusted position within network architecture, allowing potential attackers significant control over network traffic while evading most forms of detection. These appliances were used within the organization to manage its firewall, WAF (web application firewall), load balancing, and local traffic . [caption id="attachment_77649" align="alignnone" width="1802"] Source: sygnia.co[/caption] The attackers used known remote code execution flaws to install custom malware on the compromised F5 appliances. To obscure the execution chain, the attackers manipulated file-creation times and used three different files (‘iviewers.exe’, ‘iviewers.dll’ and ‘iviewers.dll.ui’) for deployment of the PlugX malware on affected systems. Once installed, PlugX harvested credentials and executed reconnaissance commands to map the internal network. The hackers then used the open-source tool Impacket for lateral movement across the network. [caption id="attachment_77647" align="alignnone" width="1872"] Source: sygnia.co[/caption] During the initial compromise, the threat actor compromised both modern workstations and legacy Windows Server 2003 systems. On modern endpoints, the hackers routinely tampered with the installed antivirus prior to deploying additional tools. This careful targeting of security controls demonstrates Velvet Ant’s operational maturity. However, the focus on legacy platforms ultimately assisted the hackers in evading detection. The researchers identified the placement of 4 additional malware programs on compromised F5 appliances:

• VELVETSTING - This program was configured to connect to a remote server located in China to check for encoded commands on an hourly basis. Once commands were received, the program would execute them via a Unix shell.
• VELVETTAP - Malware seems to have been monitoring and capturing data from the F5 internal network interface.
• SAMRID - This software has been identified as a publicly available tunneling program that had previously been utilized by Chinese state-sponsored groups. While dormant during the researcher's investigation, it may have provided the attackers remote access.
• ESRDE - This backdoor works similarly to VELVETSTING, running commands delivered from an external server. It was also inactive at the time of analysis.

The VELVET programs were set up to restart upon reboot of compromised F5 appliances. These additional malware payloads were likely intended to provide attackers with multiple backdoors even after the discovery and removal of the initial malware. Each infection had been carefully established to resist removal various and facilitate additional infiltration.

Organizations Systems Were Reinfected Upon Malware Removal

After an extensive incident response operation apparently eliminated the threat actor’s access, researchers detected a PlugX reinfection on clean hosts again a few days later. Further analysis found that the new version of PlugX lacked an external command and control server. Instead, the malware was configured to use an internal file server for command and control. This adaptation blended malicious traffic with normal internal communications, helping Velvet Ant operate undetected. While the attack was eventually contained, its sophistication and persistence highlight the challenges defenders face against advanced persistent threats (APTs). The researchers stated that they could not rule out the possibility of the campaign being a ‘false-flag’ operation by a different APT group. However, the PlugX malware has previously been associated with other China-linked APTs. The researchers have shared several recommendations as well as indicators of compromise (IOCs) on their blog. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Chinese University of Hong Kong (CUHK) has been confronted by a massive data breach that has compromised personal information of precisely 20,870 students, staff and past graduates. The CUHK data breach was initially identified on June 3, 2024, prompting swift action by the institution. An investigation is currently underway to trace the culprits and to take corrective measures.

Understanding the CUHK Data Breach

The CUHK is one of the premier institutes in China which was established in 1963 and is the first research university in Hong Kong. The cyberattack on CUHK reportedly took place on June 1 at its School of Continuing and Professional Studies (CUSCS). In a statement put out by the school on June 13, CUSCS said that it had undertaken an investigation into the breach on June 3. An information technology security consultant was appointed by the college to assess the breach. The investigation revealed that the school’s “Moodle learning management system” was hacked. Moodle is an open-source learning management system designed. It allows educators, administrators and learners to create personalized learning environments for online projects in schools, colleges and workplaces. Moodle can be used to create custom websites with online courses and allows for community-sourced plugins. [caption id="attachment_77266" align="alignnone" width="1196"] Source: CUSCS Website[/caption] According to the CUSCS, the leaked data included the names, email addresses, and student numbers of 20,870 Moodle accounts of tutors, students, graduates, and visitors. This personal data was reportedly stolen after a server at one of the institution’s schools was hacked. Despite the university management stating that the sensitive data was not leaked on any public platforms, the breached information was found to be readily available on the dark web domain BreachForums. A Threat Actor (TA), who goes by the alias “Valerie”, put up a post on dark web stating that the hacker was willing to sell the data. The TA noted that, “75 per cent of the stolen data was sold to a private party, which financed the breach.  The rest of the data was not shared. So upon multiple offers, we decided to make a public sell.” To claim that the data was credible, the TA provided samples, which included the username, first name, last name, institution, department, mobile number and city of the victims of the data breach.

Investigation Status of CUHK Data Breach

The CUSCS stated that as soon as its investigation revealed a massive data breach, it had deactivated the relevant account and reset the password. It added that, apart from the relevant server, the online learning platform has been moved, and security measures have been strengthened to block any account after three unsuccessful login attempts. “CUHK has also been notified of the incident. The college has also established a crisis management team composed of the dean, deputy dean, information technology services director, administrative director and communications and public relations director to assess the risks,” CUSCS said. The college also had filed a complaint over the data breach to the local police. The university, too, has notified the city’s privacy watchdog-Office of the Privacy Commissioner for Personal Data (PCPD), in accordance with established procedures. The PCPD acknowledged receipt of the complaint on June 13.

CUHK Data Breach: Institutions in Hong Kong Under Scanner

In what is becoming a trend, CUHK has become the third educational institute in Hong Kong this year to fall victim to cyberattacks. In May, the Hong Kong Institute of Contemporary Culture, Lee Shau Kee School of Creativity, fell victim to a ransomware attack where the data of over 600 people was leaked. Similarly, in April, a private medical facility, Union Hospital, suffered a ransomware attack affecting its servers, which allegedly resulted in operational paralysis. The Hong Kong College of Technology too suffered a ransomware attack in February, which led to the data of around 8,100 students being breached.

A threat actor known as Desec0x has claimed to possess a database allegedly stolen from the State Grid Corporation of China (SGCC), offering it for sale on the nuovo BreachForums. In the post, Desec0x claimed a cyberattack on SGCC and stated to have gained access through a third-party network, allowing them to exfiltrate sensitive data. The threat actor claimed that multiple databases containing user account information, user details, department information, and roles were accessed. The employee information allegedly includes headers such as eID, username, phone number, email, employee number, username, and password. The database is allegedly available in SQL and XLSX formats for US$1,000.

Potential Implications of Cyberattack on SGCC

Established on December 29, 2002, SGCC is the largest utility company in the world and consistently ranks second on the Fortune Global 500 list. SGCC operates as a group with RMB 536.3 billion in registered capital and employs 1.72 million people. It provides power to over 1.1 billion people across 26 provinces, autonomous regions, and municipalities, covering 88% of China's national territory. Additionally, SGCC owns and operates overseas assets in countries such as the Philippines, Brazil, Portugal, Australia, and Italy. If the claims of the cyberattack on SGCC made by Desec0x are proven to be true, the implications could be far-reaching. The sensitive nature of the data allegedly stolen, including personal and departmental information of SGCC employees, could have serious consequences for the company and its stakeholders. However, upon accessing the official SGCC website, no signs of foul play were detected, and the website appeared to be functioning normally.

Global Context of Cyberattacks in the Energy Sector

The energy sector has been increasingly targeted by cyberattacks, often involving third-party data breaches. According to Security Intelligence, 90% of the world’s top energy companies suffered from third-party data breaches in 2023. Additionally, nearly 60% of cyberattacks in the energy sector are attributed to state-affiliated actors. In late 2023, 22 energy firms were targeted in a large-scale coordinated attack on Danish infrastructure. In April 2024, a group called Cyber Army Russia claimed responsibility for a cyberattack on Consol Energy, a prominent American energy company headquartered in Cecil Township, Pennsylvania. This cyberattack reportedly disrupted the company's website accessibility, causing issues for users outside the United States. In March 2024, a dark web actor was reportedly selling access to an Indonesian energy company, believed to be the same threat actor who targeted an American manufacturer. In 2023, a suspected cyberattack on Petro-Canada was officially confirmed. Suncor Energy, the holding company of Petro-Canada, acknowledged that an IT outage over the weekend was indeed a cyberattack. The company stated that it took immediate action upon discovering the attack, collaborating with third-party experts to investigate and address the situation. This incident caused significant disruptions to Petro-Canada's operations, affecting gas stations and preventing customers from accessing the Petro-Canada app and website. In the case of the State Grid Corporation of China, the claims made by Desec0x remain unverified until an official statement is released by SGCC. Without confirmation from the company, the alleged cyberattack on SGCC and data breach cannot be substantiated. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.