Full Report
The Chinese-language artificial intelligence app Haotian is so effective that it’s made millions of dollars selling its face-swapping technology on Telegram. The service integrates easily with messaging platforms like WhatsApp and WeChat and claims that users can tweak up to 50 settings—including the ability to adjust things like cheekbone size and eye position—to help mimic the…
Analysis Summary
# Tool/Technique: Haotian AI Face Swapping Platform
## Overview
Haotian is a Chinese-language artificial intelligence application that specializes in providing ultra-realistic face-swapping technology. It generates revenue by selling its services, often on platforms like Telegram, and is specifically referenced as being utilized by actors running "pig butchering" romance scams and other online fraud operations in Southeast Asia.
## Technical Details
- Type: Commercial Tool / Platform (Used for Social Engineering/Fraud)
- Platform: Mobile/Web interface, integrates with messaging platforms (Telegram, WhatsApp, WeChat).
- Capabilities: High-fidelity AI face swapping that allows deep customization of facial features.
- First Seen: Not explicitly stated in the text, but in active use as of December 20, 2025.
## MITRE ATT&CK Mapping
Since Haotian is a tool used *by* threat actors rather than being malware itself, its use maps primarily to the Social Engineering and Impersonation tactics.
- **TA0001 - Initial Access** (Indirectly, if used to generate convincing lures for phishing)
- **TA0011 - Command and Control** (If used to maintain the persona's consistency)
- **TA0008 - Lateral Movement** (Not directly applicable)
- **TA0009 - Collection** (Not directly applicable)
- **TA0010 - Exfiltration** (Not directly applicable)
- **TA0006 - Credential Access** (Not directly applicable)
- **TA0002 - Execution** (Not directly applicable)
- **TA0004 - Privilege Escalation** (Not directly applicable)
- **TA0003 - Persistence** (Not directly applicable)
- **TA0005 - Defense Evasion** (Indirectly, by creating convincing deepfake identities)
- **TA0007 - Discovery** (Not directly applicable)
- **TA0012 - Impact** (Not directly applicable)
The most relevant technique relates to the deception facilitated by the output:
- **T1553 - Subvert Trust in Authority** (Through impersonation)
- **T1574 - Hijack Execution Flow** (Not directly applicable)
- **T1566 - Phishing** (The generated content is used as a lure)
- **T1598 - Tailor Victim Needs to Target** (Creating believable romantic personas)
- **T1598.003 - Spearphishing Link** (If the fake profiles lead to malicious links)
*Note: Direct mapping is difficult as this is a commercial tool supporting fraud, not traditional malware. Mappings reflect how its output is utilized in attacks like romance scams.*
## Functionality
### Core Capabilities
- AI-driven face swapping, resulting in ultra-realistic visual identity manipulation.
- Integration capabilities with major messaging platforms (WhatsApp, WeChat).
- Sales channel established through Telegram.
### Advanced Features
- Users have the ability to adjust up to 50 specific facial parameters (e.g., cheekbone size, eye position) to precisely mimic a target individual or create a desired persona.
## Indicators of Compromise
Since Haotian is a service offered for sale/use, traditional malware IoCs (hashes, registry keys) are not applicable to the platform itself, but rather to the *use* of its output (e.g., the resulting video/image artifacts).
- File Hashes: N/A (Commercial digital service)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Telegram, WhatsApp, WeChat (Platforms used for distribution/operation, not C2). Specific Haotian servers are not detailed.
- Behavioral Indicators: Use of highly customized, ultra-realistic deepfake imagery/video in online romance or financial fraud schemes.
## Associated Threat Actors
- "Pig butchering" romance scammers.
- Online fraud operations, particularly those operating in Southeast Asia.
## Detection Methods
Detection focuses on identifying the utilization of this technology in conjunction with known fraud patterns.
- Signature-based detection: Not applicable unless resulting files have detectable metadata patterns.
- Behavioral detection: Monitoring suspicious requests via messaging apps where high-fidelity video/image content is exchanged, followed by demands for money or sensitive information.
- YARA rules: Not applicable.
## Mitigation Strategies
Mitigation centers on recognizing and refusing digital impersonation attempts, especially when financial transactions are requested.
- Prevention measures: Educating users about AI-enabled deepfakes and romance scams. Implementing stricter controls on identity verification in sensitive communications or financial transfers initiated via non-verified channels.
- Hardening recommendations: Training security teams and users to be skeptical of unsolicited, unsolicited, highly trustworthy visual content in nascent relationships.
## Related Tools/Techniques
- Deepfake generation tools used for impersonation.
- Standardized social engineering methodologies employed in "pig butchering" scams (e.g., building long-term trust before financial exploitation).