Threat analysts report the “Araneida Scanner,” based on a cracked Acunetix version, is used for illegal activities like data scraping and exploiting vulnerabilities.
Sold on Telegram, it’s actively used by threat actors for offensive reconnaissance.
Telegram channels promoting Araneida claim it has compromised over 30,000 websites in six months.
An investigation connected the Araneida Scanner to a Turkish developer in Ankara.
Analysts also discovered another cracked Acunetix-based tool with Mandarin login panels, pointing to possible Chinese threat actor involvement.
Background and Discovery
Researchers began investigating after a partner flagged unusual scanning activity from an IP address tied to past cyberattacks.
The “Araneida – WebApp Scanner,” sold via [araneida(.)co], launched in February 2023 and uses cracked Acunetix components.
Silent Push, in partnership with Invicti, confirmed that the legitimate Acunetix scanner is unaffected. This attack exploits unauthorized cracked versions without Invicti’s involvement.
Araneida Scanner Features:
- Setup: Users install a Windows executable to start scanning websites for vulnerabilities.
- Malicious Activity: It creates noisy traffic, targeting CMS platforms and other endpoints.
- Telegram Activity: Araneida’s Telegram group, with nearly 500 members, promotes its illegal use. Members share success stories of website hacks, stolen credentials, and luxury purchases like sports cars.
Chinese Threat Actor Links
Cracked Acunetix scanners were found on IPs with Mandarin login portals and legacy Acunetix SSL certificates, dating back to 2021.
These portals offer malicious executables disguised as tools like “FlkVPN.”
Researchers suspect APT41, a Chinese cyber-espionage group with a history of using Acunetix for reconnaissance, as reported by the U.S. Department of Health and Human Services.
Acunetix misuse is not new:
- In 2020, Iranian hackers targeted U.S. state and election websites.
- In March 2024, Lumen found it facilitating communications with malicious servers.
- APT41 has used it for spear-phishing and SQL injection attacks.
Silent Push provides feeds with domains and IPs linked to the Araneida Scanner to help mitigate risks from cracked tools.
This highlights the danger of cracked cybersecurity tools like Acunetix, which, despite their security benefits, can be weaponized by cybercriminals.
The Araneida Scanner’s link to a Turkish developer and rising use emphasizes the need for vigilance and threat intelligence collaboration.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment