🇨🇳

Void Arachne

APT Group Information theft and espionage 7 zero-day CVEs ETDA ✓

Also Known As 1 names

Silver Fox

Target Countries 3

Countries highlighted in red

China Japan Province of China Taiwan

Sectors Targeted

No targeted sector recorded

Details

Origin 🇨🇳 CN

Last Updated 29 Jun 2024

Malware Families 8

rad

win.vx_rat

zgrat

dnsmessenger

win.silentgh0st

remotecontrolclient

devils_rat

Back Orifice

MITRE ATT&CK 96

T1003 - OS Credential Dumping T1005 - Data from Local System T1008 - Fallback Channels T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.005 - Indicator Removal from Tools T1033 - System Owner/User Discovery T1036 - Masquerading T1036.004 - Masquerade Task or Service T1036.005 - Match Legitimate Name or Location T1041 - Exfiltration Over C2 Channel T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 - Process Injection T1055.001 - Dynamic-link Library Injection T1055.002 - Portable Executable Injection T1056 - Input Capture T1056.001 - Keylogging T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1068 - Exploitation for Privilege Escalation T1070 - Indicator Removal on Host T1070.004 - File Deletion T1071 - Application Layer Protocol T1071.001 - Web Protocols T1072 - Software Deployment Tools T1078 - Valid Accounts T1078.001 - Default Accounts T1082 - System Information Discovery T1083 - File and Directory Discovery T1095 - Non-Application Layer Protocol T1102 - Web Service T1102.002 - Bidirectional Communication T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1110.003 T1112 - Modify Registry T1113 - Screen Capture T1115 - Clipboard Data T1123 - Audio Capture T1124 - System Time Discovery T1125 - Video Capture T1129 - Shared Modules T1132 - Data Encoding T1134 - Access Token Manipulation T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1189 - Drive-by Compromise T1192 - Spearphishing Link T1195 - Supply Chain Compromise T1204 - User Execution T1204.001 - Malicious Link T1204.002 - Malicious File T1211 - Exploitation for Defense Evasion T1218 - Signed Binary Proxy Execution T1218.010 - Regsvr32 T1218.011 - Rundll32 T1219 - Remote Access Software T1496 - Resource Hijacking T1497 - Virtualization/Sandbox Evasion T1498 - Network Denial of Service T1518 - Software Discovery T1528 - Steal Application Access Token T1539 - Steal Web Session Cookie T1542 - Pre-OS Boot T1543 - Create or Modify System Process T1543.003 - Windows Service T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1553 - Subvert Trust Controls T1553.006 - Code Signing Policy Modification T1555 - Credentials from Password Stores T1555.003 - Credentials from Web Browsers T1560 - Archive Collected Data T1562 - Impair Defenses T1562.001 - Disable or Modify Tools T1562.002 - Disable Windows Event Logging T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1573 - Encrypted Channel T1574 - Hijack Execution Flow T1574.001 - DLL Search Order Hijacking T1574.002 - DLL Side-Loading T1574.006 - Dynamic Linker Hijacking T1583.001 - Domains T1606.002 - SAML Tokens T1608 - Stage Capabilities T1608.005 - Link Target

Related Zero-Days 7

CVE-2017-5638 CVE-2021-44228 CVE-2024-21412 CVE-2024-3400 CVE-2024-37079 CVE-2025-22457 CVE-2026-20805

Known Names 2 entries

Void Arachne Trend Micro

Silver Fox Qihoo 360

Observed Target Countries 3

Based on ETDA data — countries highlighted in red

China Japan Taiwan

Description

(Trend Micro) In early April, we discovered that a new threat actor group (which we call Void Arachne) was targeting Chinese-speaking users. Void Arachne’s campaign involves the use of malicious MSI files that contain legitimate software installer files for artificial intelligence (AI) software as well as other popular software. The malicious Winos payloads are bundled alongside nudifiers and deepfake pornography-generating AI software, voice-and-face-swapping AI software, zh-CN (Simplified Chinese) language packs, the simplified Chinese version of Google Chrome, and Chinese-marketed virtual private networks (VPNs), such as LetsVPN and QuickVPN. During the process of installation, a Winos backdoor is also installed, which could also lead to full system compromise.

Tools Used 3

Gh0stCringe HoldingHands RAT Winos

Operations 1

2025-06 Threat Group Targets Companies in Taiwan https://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan https://somedieyoungzz.github.io/posts/silver-fox/

Reports & References 3

https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/ https://www.darkreading.com/threat-intelligence/silver-fox-apt-espionage-cybercrime

ETDA Profile

Void Arachne

Origin

China

First Seen 2024

Motivation

Information theft and espionage

View on ETDA APT Groups ↗