{ "id": "1f11c2a1-7be6-4135-88d5-946c54b3efba", "created_at": "2026-04-06T00:19:54.836349Z", "updated_at": "2026-04-10T03:29:06.986566Z", "deleted_at": null, "sha1_hash": "e64874f5847506417c8cb5d9a489f5d1890bbe8d", "title": "Void Arachne - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52319, "plain_text": "Void Arachne - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:14:31 UTC\n APT group: Void Arachne\nNames\nVoid Arachne (Trend Micro)\nSilver Fox (Qihoo 360)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2024\nDescription\n(Trend Micro) In early April, we discovered that a new threat actor group (which we\ncall Void Arachne) was targeting Chinese-speaking users. Void Arachne’s campaign\ninvolves the use of malicious MSI files that contain legitimate software installer files\nfor artificial intelligence (AI) software as well as other popular software. The\nmalicious Winos payloads are bundled alongside nudifiers and deepfake\npornography-generating AI software, voice-and-face-swapping AI software, zh-CN\n(Simplified Chinese) language packs, the simplified Chinese version of Google\nChrome, and Chinese-marketed virtual private networks (VPNs), such as LetsVPN\nand QuickVPN. During the process of installation, a Winos backdoor is also\ninstalled, which could also lead to full system compromise.\nObserved Countries: China, Japan, Taiwan.\nTools used Gh0stCringe, HoldingHands RAT, Winos.\nOperations performed Jun 2025\nThreat Group Targets Companies in Taiwan\nInformation\nLast change to this card: 16 August 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f08fc5ff-f408-48bf-a116-e1e98de278b2\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f08fc5ff-f408-48bf-a116-e1e98de278b2\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f08fc5ff-f408-48bf-a116-e1e98de278b2\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f08fc5ff-f408-48bf-a116-e1e98de278b2" ], "report_names": [ "showcard.cgi?u=f08fc5ff-f408-48bf-a116-e1e98de278b2" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3", "created_at": "2024-06-25T02:00:05.030976Z", "updated_at": "2026-04-10T02:00:03.656871Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "MISPGALAXY:Void Arachne", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9", "created_at": "2024-08-28T02:02:09.729503Z", "updated_at": "2026-04-10T02:00:04.967533Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "ETDA:Void Arachne", "tools": [ "Gh0stBins", "Gh0stCringe", "HoldingHands RAT", "Winos" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775791746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e64874f5847506417c8cb5d9a489f5d1890bbe8d.pdf", "text": "https://archive.orkl.eu/e64874f5847506417c8cb5d9a489f5d1890bbe8d.txt", "img": "https://archive.orkl.eu/e64874f5847506417c8cb5d9a489f5d1890bbe8d.jpg" } }