Table of content
  1. Who is Void Arachne (Silver Fox APT)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against Void Arachne (Silver Fox APT) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

Void Arachne (Silver Fox APT) Targets Taiwanese Government & Tech Firms in Spear-Phishing-Driven Espionage Campaign

Void Arachne (Silver Fox APT), an advanced persistent threat group, has been linked to a recent cyberattack on Taiwanese government, technology firms; also healthcare and public sector. The incident leveraged Spear-phishing with RATs (Winos 4.0, Gh0st derivatives, ValleyRAT), trojanized medical software to gain access, steal data, and evade detection. In this article, we examine who was responsible, how the attack unfolded, when it occurred, and what security leaders can do to avoid similar risks. We’ll also explore where Obsidian Security’s capabilities align with prevention and response.
Sophie Zhu
February 27, 2025
Table of content
  1. Who is Void Arachne (Silver Fox APT)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against Void Arachne (Silver Fox APT) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

Who is Void Arachne (Silver Fox APT)?

Void Arachne, also known as Silver Fox APT, is a China-linked espionage group targeting Taiwanese government agencies, technology firms, and critical sectors through spear-phishing emails carrying RATs such as ValleyRAT and Gh0st derivatives. Their focus is on intellectual property theft and maintaining long-term covert access.

What Happened?

In June 2025, Intel 471 reported a targeted cyberespionage campaign against government and technology organizations in Taiwan, conducted by an advanced persistent threat actor known as Void Arachne (Silver Fox APT). This attack focused on stealing intellectual property and sensitive organizational data using sophisticated email-based infiltration methods

How Did The Attack Work?

The campaign worked through the deployment of carefully crafted spear-phishing emails containing malicious attachments. Once the recipient opened these attachments, the attackers gained an initial foothold, leveraging remote access trojans (RATs) such as Gh0stCringe and HoldingHands. These RATs enabled persistent remote access, allowed for exfiltration of confidential documents, and incorporated stealth techniques designed to evade traditional endpoint detection tools. Silver Fox further strengthened their attacks using signal-based and multi-channel methods to reduce the risk of interception.

Why It Matters

This operation highlights how cyberespionage is escalating in strategically important regions like Taiwan, a global technology hub. Void Arachne's (Silver Fox APT) use of custom-built RATs and multi-platform communication channels demonstrates increasing sophistication among threat actors. The campaign underscores a growing need for organizations to invest in advanced phishing detection and improved security for enterprise messaging platforms to defend against evolving attack methods.

How to Defend Against Void Arachne (Silver Fox APT) - Style Attacks

To defend against threats similar to those used by Void Arachne (Silver Fox APT) targeting government and technology organizations:

  • Advanced Phishing Detection
    Deploy anti-phishing solutions capable of analyzing attachments and embedded payloads in real time.
  • Endpoint EDR Coverage
    Detect RAT activity and unauthorized remote control tools across all endpoints, including off-network devices.
  • Messaging Platform Security
    Secure enterprise messaging platforms against malicious file transfers and phishing links.
  • Access Review
    Conduct regular audits of privileged accounts and third-party integrations for signs of abuse.

Where Obsidian Security Can Help

ITDR detects anomalous user behavior and compromised accounts in SaaS environments. Browser Extension Protection blocks phishing sites and prevents session hijacking.

Conclusion

Void Arachne (Silver Fox APT)’s recent campaign underscores the need for layered security and SaaS-native threat detection. Organizations should combine user education, identity threat protection, and SaaS configuration hardening to minimize risk. Obsidian’s continuous monitoring and context-aware alerts help defenders identify and respond to threats before damage is done.