Void Arachne

Description

(Trend Micro) In early April, we discovered that a new threat actor group (which we call Void Arachne) was targeting Chinese-speaking users. Void Arachne’s campaign involves the use of malicious MSI files that contain legitimate software installer files for artificial intelligence (AI) software as well as other popular software. The malicious Winos payloads are bundled alongside nudifiers and deepfake pornography-generating AI software, voice-and-face-swapping AI software, zh-CN (Simplified Chinese) language packs, the simplified Chinese version of Google Chrome, and Chinese-marketed virtual private networks (VPNs), such as LetsVPN and QuickVPN. During the process of installation, a Winos backdoor is also installed, which could also lead to full system compromise.

Names

Name	Name-Giver
Void Arachne	Trend Micro
Silver Fox	Qihoo 360

Country

• China

Motivation

• Information theft and espionage

First Seen

2024

Observed Countries

• China
• Japan
• Taiwan

Tools

• Gh0stCringe
• HoldingHands RAT
• Winos

Operations

• 2025-06: Threat Group Targets Companies in Taiwan https://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan https://somedieyoungzz.github.io/posts/silver-fox/

Information

• https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html
• https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/

Other Information

Uuid

f08fc5ff-f408-48bf-a116-e1e98de278b2

Last Card Change

2025-06-28