Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Void Arachne – Threat Actor

January 25, 2025
Reading Time: 4 mins read
in Threat Actors
Void Arachne – Threat Actor

Void Arachne

Location

China

Date of initial activity

2024

Suspected Attribution 

Cybercriminals

Government Affiliation

No

Motivation

Financial Gain

Associated Tools

Winos 4.0 C&C Framework
Malicious MSI Files

AI Software Installers
VPN Software Installers
Language Packs and Other Utilities
SEO Poisoning Infrastructure

Telegram Channels

Nudifier and Deepfake AI Tools

Software

Windows

Overview

In the ever-evolving landscape of cyber threats, Void Arachne has emerged as a formidable new player, drawing significant attention with its recent activities. This threat actor group is particularly notable for its targeted campaigns against Chinese-speaking users, utilizing a blend of legitimate software and malicious payloads to achieve its objectives. Void Arachne’s tactics reveal a sophisticated approach to cyber warfare, combining traditional infection methods with advanced evasion techniques designed to circumvent security measures and maximize impact. Void Arachne’s primary tool of attack is the Windows Installer (MSI) file, a seemingly innocuous component of software installations that conceals its true nature beneath layers of legitimate-looking software. By embedding malicious Winos payloads within these MSI files, the group effectively camouflages their attacks as updates or installers for popular applications, including AI software and VPNs. This strategy not only enhances their reach but also significantly increases the likelihood of successful infections, as the MSI files appear to be standard software installers.

Common targets

Chinese Individuals

Attack vectors

Phishing

How they operate

At the heart of Void Arachne’s operations is the deployment of malicious MSI files that masquerade as legitimate software installers. These MSI files are ingeniously crafted to include both authentic software—such as AI tools and VPN applications—and the Winos 4.0 backdoor. During the installation process, the MSI file executes the Winos payload silently alongside the legitimate software, granting the threat actor unauthorized access to the victim’s system. The Winos backdoor is particularly notable for its extensive command-and-control capabilities, allowing attackers to remotely control the compromised system, exfiltrate data, and potentially escalate privileges. The initial access vector for Void Arachne’s campaign is multifaceted, involving both SEO poisoning and spear-phishing techniques. The threat actors employ SEO poisoningSEO poisoning by setting up web infrastructure that manipulates search engine rankings, making malicious links appear as top results for commonly searched software. These links, which lead to the download of the compromised MSI files, are designed to exploit users seeking popular applications. Additionally, Void Arachne utilizes spear-phishing tactics by distributing malicious links via social media and messaging platforms, luring victims with seemingly benign software installers. Once the MSI file is executed, it deploys Dynamic Link Libraries (DLLs) that facilitate the installation of the Winos backdoor. The DLLs are crucial for executing the malicious payload, as they perform various functions during runtime to maintain persistence and evade detection. The use of MSI files for this purpose is particularly insidious, as these installers are typically trusted by users, making it easier for the malware to bypass traditional security measures. Void Arachne’s C2 infrastructure is designed to be resilient and evasive. The group operates multiple subdomains under a root domain (e.g., webcamcn[.]xyz), which serve as command-and-control servers. This domain generation approach complicates efforts to block or disrupt their operations, as the threat actor can continuously add new subdomains to their C2 network. The communication between the Winos backdoor and these C2 servers occurs over HTTP/HTTPS, utilizing web traffic for data exfiltration and command relay. The campaign also highlights Void Arachne’s exploitation of the heightened public interest in technologies that circumvent internet censorship, particularly VPNs. By targeting VPN-related software and advertising it through SEO poisoning and social media channels, the threat actor capitalizes on users’ desire for privacy and access to restricted content. This tactic not only increases the likelihood of successful infections but also aligns with the broader trend of using popular software to deliver malware.

MITRE Tactics and Techniques

Initial Access:
SEO Poisoning (T1608.006): The threat actor uses SEO poisoning to make malicious websites rank high in search engine results. These websites host malicious MSI files that, when downloaded, initiate the infection process. Spear Phishing (T1566.002): Malicious links disguised as legitimate software installers are used to lure victims. These links are often distributed through social media and messaging platforms.
Execution:
Malicious MSI Files (T1203): The MSI files used in Void Arachne’s campaign contain both legitimate software and the Winos 4.0 backdoor. When executed, these installers run the Winos payload alongside the intended software. Dynamic Link Libraries (DLLs) (T1073): The MSI installers use DLLs to execute the Winos backdoor. DLLs are employed during the installation process to perform various malicious actions.
Persistence:
Registry Run Keys/Startup Folder (T1547.001): The threat actor may leverage registry run keys or startup folders to maintain persistence on infected systems, ensuring the Winos backdoor remains active after reboot.
Command and Control (C2):
Command and Control Over Web Traffic (T1071): The Winos 4.0 backdoor communicates with C&C servers over HTTP/HTTPS to receive commands and exfiltrate data. Domain Generation Algorithms (T1075): The threat actor uses multiple subdomains under a root domain (e.g., webcamcn[.]xyz) for their C&C infrastructure, making it harder to block all associated domains.
Exfiltration:
Exfiltration Over Web Service (T1041): Data is exfiltrated from compromised systems to the threat actor’s C&C servers via web services, which can be encrypted to evade detection.
Impact:
Data Destruction (T1485): While not a primary technique, the threat actor might leverage destructive payloads or ransomware in specific scenarios to impact targeted systems. Credential Dumping (T1003): If additional payloads are present, they may be used to extract credentials or other sensitive data from compromised systems.
References:
  • Behind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C&C Framework
Tags: ChinaPhishingSEO PoisoningSoftwareThreat ActorsVoid ArachneVPNWindowsWinos
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

Google Removes 352 ‘IconAds’ Fraud Apps

Malicious Firefox Add Ons Steal Crypto Keys

Browser Cache Attack Bypasses Web Security

PDFs Deliver QR Codes in Callback Scams

Critical Sudo Flaws Expose Linux Systems

Unkillable Mac Malware From North Korea

Subscribe to our newsletter

    Latest Incidents

    Tech Incubator IdeaLab Discloses Data Breach

    Brazil’s CIEE One Exposes 248,000 Records

    McLaughlin & Stern Discloses Data Breach

    Cyberattack Hits Medtech Firm Surmodics

    Rhysida Ransomware Hits German Charity WHH

    Hacker Accesses Max Financial’s User Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial