Threat Analysts have reported alarming findings about the “Araneida Scanner,” a malicious tool allegedly based on a cracked version of Acunetix, a renowned web application vulnerability scanner.
The tool has been linked to illegal activities, including offensive reconnaissance, scraping user data, and identifying vulnerabilities for exploitation.
The “Araneida Scanner” is being sold on platforms like Telegram and actively exploited by threat actors.
Telegram channels tied to Araneida boast of major cyber exploits, including taking over 30,000 websites in six months.
A recent investigation linked the Araneida Scanner to a Turkish software developer based in Ankara.
Analysts have also uncovered a parallel operation involving another cracked Acunetix-based tool with login panels in Mandarin, suggesting Chinese threat actor involvement.
Background and Initial Discovery
Researchers initiated their investigation after receiving intelligence from a partner organization about unusual scanning activities involving an IP address linked to previous cyberattacks.
The scanner, identified as “Araneida – WebApp Scanner,” is being sold through the domain [araneida(.)co], created in February 2023.
The investigation confirmed that the tool uses components of cracked Acunetix software.
Partnering with Invicti, the parent company of Acunetix, Silent Push verified that the legitimate Acunetix scanner remains unaffected. This attack leverages unauthorized, cracked software versions without Invicti’s involvement.
The Araneida Scanner is widely marketed to cybercriminals for its offensive capabilities:
- Setup Process: Users receive a Windows executable file to install the scanner. Once integrated, the tool aggressively scans websites, identifying vulnerabilities for potential exploitation.
- Malicious Features: It generates noisy traffic, making requests to various endpoints often tied to CMS platforms.
- Telegram Channel Activity: Araneida’s Telegram community has nearly 500 members and actively promotes the tool’s illegal uses. Members share success stories of website takeovers, stolen credentials, and profits spent on luxury items like sports cars.
Chinese Threat Actor Links
Researchers identified cracked Acunetix scanners hosted on IPs featuring Mandarin login portals and legacy Acunetix SSL certificates.
These portals, dating back to 2021, offer download links for malicious executables disguised as legitimate tools like “FlkVPN.”
Although no definitive connection has been established, researchers suspect involvement from APT41, a known Chinese cyber-espionage group.
APT41 has a history of exploiting Acunetix for reconnaissance efforts, as highlighted in reports by the U.S. Department of Health and Human Services earlier this year.
This is not the first instance of Acunetix misuse.
- In 2020, Iranian hackers exploited the tool to target U.S. state and election websites.
- In March 2024, Lumen identified an Acunetix scanner facilitating communications between malicious command-and-control servers.
- APT41 has also been reported to rely on Acunetix and other reconnaissance tools for spear-phishing and SQL injection attacks.
Researchers have developed actionable intelligence to help organizations mitigate risks from cracked Acunetix tools.
Silent Push provides detailed feeds containing domains and IPs associated with the Araneida Scanner infrastructure.
The exploitation of cracked cybersecurity tools like Acunetix underscores the double-edged nature of technology. While tools like Acunetix are designed to enhance web security, their misuse by malicious actors poses significant threats.
The discovery of Araneida’s link to a Turkish software developer and its growing influence among cybercriminals highlights the urgent need for vigilance and collaborative threat intelligence-sharing to combat such activities.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free