Cybercriminals are promoting tons of of hundreds of credential units stolen with the assistance of a cracked model of Acunetix, a robust industrial net app vulnerability scanner, new analysis finds. The cracked software program is being resold as a cloud-based assault device by no less than two totally different providers, one in all which KrebsOnSecurity traced to an data know-how agency based mostly in Turkey.
Araneida Scanner.
Cyber menace analysts at Silent Push mentioned they lately acquired studies from a companion group that recognized an aggressive scanning effort in opposition to their web site utilizing an Web tackle beforehand related to a marketing campaign by FIN7, a infamous Russia-based hacking group.
However on nearer inspection they found the tackle contained an HTML title of “Araneida Buyer Panel,” and located they may search on that textual content string to seek out dozens of distinctive addresses internet hosting the identical service.
It quickly turned obvious that Araneida was being resold as a cloud-based service utilizing a cracked model of Acunetix, permitting paying clients to conduct offensive reconnaissance on potential goal web sites, scrape person knowledge, and discover vulnerabilities for exploitation.
Silent Push additionally realized Araneida bundles its service with a strong proxy providing, in order that buyer scans seem to return from Web addresses which might be randomly chosen from a big pool of obtainable site visitors relays.
The makers of Acunetix, Texas-based utility safety vendor Invicti Safety, confirmed Silent Push’s findings, saying somebody had discovered easy methods to crack the free trial model of the software program in order that it runs with out a legitimate license key.
“We’ve got been enjoying cat and mouse for some time with these guys,” mentioned Matt Sciberras, chief data safety officer at Invicti.
Silent Push mentioned Araneida is being marketed by an eponymous person on a number of cybercrime boards. The service’s Telegram channel boasts almost 500 subscribers and explains easy methods to use the device for malicious functions.
In a “Enjoyable Info” checklist posted to the channel in late September, Araneida mentioned their service was used to take over greater than 30,000 web sites in simply six months, and that one buyer used it to purchase a Porsche with the cost card knowledge (“dumps”) they offered.

Araneida Scanner’s Telegram channel bragging about how clients are utilizing the service for cybercrime.
“They’re continually bragging with their group in regards to the crimes which might be being dedicated, the way it’s making criminals cash,” mentioned Zach Edwards, a senior menace researcher at Silent Push. “They’re additionally promoting bulk knowledge and dumps which seem to have been acquired with this device or as a result of vulnerabilities discovered with the device.”
Silent Push additionally discovered a cracked model of Acunetix was powering no less than 20 cases of the same cloud-based vulnerability testing service catering to Mandarin audio system, however they have been unable to seek out any apparently associated gross sales threads about them on the darkish net.
Rumors of a cracked model of Acunetix being utilized by attackers surfaced in June 2023 on Twitter/X, when researchers first posited a connection between observed scanning activity and Araneida.
In keeping with an August 2023 report (PDF) from the U.S. Division of Well being and Human Providers (HHS), Acunetix (presumably a cracked model) is amongst a number of instruments utilized by APT 41, a prolific Chinese language state-sponsored hacking group.
THE TURKISH CONNECTION
Silent Push notes that the web site the place Araneida is being offered — araneida[.]co — first got here on-line in February 2023. However a evaluation of this Araneida nickname on the cybercrime boards exhibits they’ve been lively within the prison hacking scene since no less than 2018.
A search within the menace intelligence platform Intel 471 exhibits a person by the identify Araneida promoted the scanner on two cybercrime boards since 2022, together with Breached and Nulled. In 2022, Araneida advised fellow Breached members they may very well be reached on Discord on the username “Ornie#9811.”
In keeping with Intel 471, this similar Discord account was marketed in 2019 by an individual on the cybercrime discussion board Cracked who used the monikers “ORN” and “ori0n.” The person “ori0n” talked about in a number of posts that they may very well be reached on Telegram on the username “@sirorny.”

Orn promoting Araneida Scanner in Feb. 2023 on the discussion board Cracked. Picture: Ke-la.com.
The Sirorny Telegram identification additionally was referenced as a degree of contact for a present person on the cybercrime discussion board Nulled who’s promoting web site improvement providers, and who references araneida[.]co as one in all their initiatives. That person, “Exorn,” has posts relationship again to August 2018.
In early 2020, Exorn promoted an internet site known as “orndorks[.]com,” which they described as a service for automating the scanning for web-based vulnerabilities. A passive DNS lookup on this area at DomainTools.com exhibits that its electronic mail data pointed to the tackle [email protected].
Constella Intelligence, an organization that tracks data uncovered in knowledge breaches, finds this electronic mail tackle was used to register an account at Breachforums in July 2024 below the nickname “Ornie.” Constella additionally finds the identical electronic mail registered on the web site netguard[.]codes in 2021 utilizing the password “ceza2003” [full disclosure: Constella is currently an advertiser on KrebsOnSecurity].
A search on the password ceza2003 in Constella finds roughly a dozen electronic mail addresses that used it in an uncovered knowledge breach, most of them that includes some variation on the identify “altugsara,” together with [email protected]. Constella additional finds [email protected] was used to create an account on the cybercrime group RaidForums below the username “ori0n,” from an Web tackle in Istanbul.
In keeping with DomainTools, [email protected] was utilized in 2020 to register the area identify altugsara[.]com. Archive.org’s history for that domain exhibits that in 2021 it featured an internet site for a then 18-year-old Altuğ Şara from Ankara, Turkey.

Archive.org’s recollection of what altugsara dot com regarded like in 2021.
LinkedIn finds this similar altugsara[.]com area listed within the “contact data” part of a profile for an Altug Sara from Ankara, who says he has labored the previous two years as a senior software program developer for a Turkish IT agency known as Bilitro Yazilim.
Neither Altug Sara nor Bilitro Yazilim responded to requests for remark.
Invicti’s web site states that it has places of work in Ankara, however the firm’s CEO mentioned none of their workers acknowledged both identify.
“We do have a small staff in Ankara, however so far as I do know we have now no connection to the person apart from the actual fact that also they are in Ankara,” Invicti CEO Neil Roseman advised KrebsOnSecurity.
Researchers at Silent Push say regardless of Araneida utilizing a seemingly limitless provide of proxies to masks the true location of its customers, it’s a pretty “noisy” scanner that can kick off a big quantity of requests to varied API endpoints, and make requests to random URLs related to totally different content material administration methods.
What’s extra, the cracked model of Acunetix being resold to cybercriminals invokes legacy Acunetix SSL certificates on lively management panels, which Silent Push says gives a stable pivot for locating a few of this infrastructure, significantly from the Chinese language menace actors.
Additional studying: Silent Push’s research on Araneida Scanner.