Skip to main content
Mallory
Back to threat actors
4 malware familiesExploits CVEs in the wild

Void Banshee

Also known asVoid Banshee

Void Banshee is an advanced persistent threat (APT) actor associated in the provided content with exploitation of multiple Windows MSHTML/MHTML flaws, including CVE-2024-38112 and CVE-2024-43461, and referenced in relation to the similar CVE-2024-43573. The actor is described as targeting victims in North America, Europe, and Southeast Asia for information theft and financial gain. Reported delivery activity used malicious files disguised as PDF books, distributed via cloud-sharing sites, Discord servers, online libraries, and compromised websites. The documented attack chain abused .URL files, the MHTML protocol handler, x-usc directives, and the disabled-but-present Internet Explorer/MSHTML components to access and execute attacker-controlled content, leading to HTA, VBScript, PowerShell, and .NET stages. The final payload described in the content is Atlantida Stealer, which steals credentials, cookies, cryptocurrency wallet data, browser extension data, screenshots, desktop files, Telegram data, Steam data, FileZilla data, and system information before exfiltration. The content directly identifies the actor only as Void Banshee; no additional aliases or sub-groups are provided.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

16 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics23 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1584
Compromise Infrastructure
T1584.004
Server
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.005
Visual Basic
T1204
User Execution
T1204.002
Malicious File
TA0004
Privilege Escalation
1 technique
T1055
Process Injection
TA0005
Stealth
3 techniques
T1027
Obfuscated Files or Information
T1055
Process Injection
T1218
System Binary Proxy Execution
T1218.009
Regsvcs/Regasm
TA0006
Credential Access
1 technique
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
TA0007
Discovery
1 technique
T1082
System Information Discovery
TA0009
Collection
3 techniques
T1005
Data from Local System
T1113
Screen Capture
T1560
Archive Collected Data
T1560.001
Archive via Utility
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Atlantida"The final payload of this zero-day attack chain is the Atlantida stealer, which was first discovered in January 2024."2Mar 18, 2026
Atlantida StealerThe final payload of this zero-day attack chain is the Atlantida stealer, which was first discovered in January 2024.1May 25, 2026
DonutDonut is an opensource position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files, and dotNET assemblies. In this attack, Donut is used to decrypt and execute the Atlantida stealer inside RegAsm.exe process memory.1May 25, 2026
LoadToBadXmlLoadToBadXml is a .NET Trojan loader that is obfuscated using Eziriz .NET Reactor.1May 25, 2026
WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2024-38112Windows MSHTML Platform Spoofing VulnerabilityIn the wildEvidence4

The vulnerability CVE-2024-38112 (ZDI-CAN-24433) was used as a zero-day to access and execute files through the disabled Internet Explorer using MSHTML.

CVE-2024-43461Windows MSHTML Platform Spoofing VulnerabilityIn the wildEvidence1

...CVE-2024-43461 (CVSS score: 8.8)... actively exploited in the wild by a threat actor known as Void Banshee... characterized as an MSHTML platform spoofing vulnerability similar to CVE-2024-38112... exploited as a part of an attack chain relating to CVE-2024-38112...

IOCS

Observables

7 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

7 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
the hacker newsNews
Oct 9, 2024
Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Void Banshee is known for exploiting MSHTML spoofing vulnerabilities to deliver the Atlantida Stealer malware.

Read more
help net securityNews
Oct 8, 2024
Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572)

Referenced as having exploited a Windows MSHTML (Internet Explorer engine) zero-day (CVE-2024-38112) in the wild; the article suggests CVE-2024-43573 may be similar and notes prior use of multiple MSHTML flaws in the same attack set.

Read more
picus security blogNews
Oct 4, 2024
Microsoft Warns of Storm-0501 Group Deploying Ransomware to Hybrid Cloud Environments

Financially motivated group conducting information-stealing malware campaigns targeting various sectors, including financial, technology, and government organizations, primarily for data theft and financial gain.

Read more
the hacker newsNews
Sep 11, 2024
Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Actively exploited MSHTML platform spoofing vulnerability CVE-2024-43461 as part of an attack chain related to CVE-2024-38112 to deliver Atlantida stealer malware (attack chain broken by July 2024 patch for CVE-2024-38112).

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping16

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables7

Domains, IPs, and hashes tied to this actor, refreshed continuously.