Winnti

Threat Actor updated 23 days ago (2024-11-29T13:58:25.881Z)
Download STIX
Preview STIX
Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such as APT41, WickedPanda, Barium, Wicked Spider, and more. Winnti is notorious for its sophisticated attack lifecycle and the use of malware like PipeMon, which is directly attributed to them. Furthermore, they have been linked to several cyberespionage campaigns, including Operation Diplomatic Specter, where the activity originated from shared Chinese APT infrastructure used by other threat actors like Iron Taurus (APT27) and Stately Taurus (Mustang Panda). The Winnti group's modus operandi typically involves targeting supply chains of legitimate software to spread their malware. They have been implicated in compromising various companies using the PipeMon malware, which shares command-and-control (C&C) domains with previous Winnti campaigns. In addition, Winnti malware was discovered in 2019 at several companies that were later compromised with PipeMon. This group has also been tied to Earth Lusca, another threat actor known for targeting government organizations in Asia, Latin America, and other regions. In terms of legal actions, the Department of Justice indicted five Chinese nationals in 2020, who were part of a Beijing hacking group tracked as APT41, Brass Typhoon, Wicked Panda, and Winnti. These individuals were charged with hacking over 100 companies in the United States and abroad. The group's activities have resulted in extensive theft of trade secrets, intellectual property, and sensitive data from organizations across multiple countries. Overall, Winnti represents a significant cybersecurity threat with a long history of successful and damaging attacks.
Description last updated: 2024-11-15T16:10:02.059Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT41 is a possible alias for Winnti. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi
6
Barium is a possible alias for Winnti. Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according t
5
PlugX is a possible alias for Winnti. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s
4
Earth Lusca is a possible alias for Winnti. Earth Lusca, a threat actor believed to be part of the China-backed Winnti collective, has been active since at least 2019 and is known for its cyber-espionage activities. The group primarily targets government organizations in Asia, Latin America, and other regions. Recently, it has expanded its ar
3
Axiom is a possible alias for Winnti. Axiom is a recognized threat actor, also known as a hacking team, that has been associated with malicious activities. The group has ties to the Chinese intelligence apparatus and has operated under various names such as Winnti, PassCV, APT17, LEAD, BARIUM, Wicked Panda, and GREF. The naming conventi
3
Mustang Panda is a possible alias for Winnti. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif
3
Wicked Panda is a possible alias for Winnti. Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a prominent threat actor in the cybersecurity landscape. This China state-sponsored group has been identified as one of the top threat actors by the Department of Health and Human Services' Health Sector Cybersecurity Coordinati
2
Blackfly is a possible alias for Winnti. Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
2
APT17 is a possible alias for Winnti. APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Linux
Apt
Espionage
Backdoor
Windows
State Sponso...
Cobalt Strike
Chinese
Exploit
Payload
Implant
Exploits
Android
Trojan
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ShadowPad Malware is associated with Winnti. ShadowPad is a sophisticated malware, known for its use in supply chain attacks, particularly against government entities in South Asia. This modular backdoor, which has been active for approximately seven years, is popular among Chinese threat actors. It was notably used as the payload in an attackUnspecified
7
The PipeMon Malware is associated with Winnti. PipeMon is a sophisticated, modular backdoor malware discovered in February 2020. It is attributed to the Winnti Group, known for their cyber espionage activities. This malware uses multiple named pipes for inter-module communication, hence its name "PipeMon". Its first stage consists of a password-Unspecified
2
The DragonEgg Malware is associated with Winnti. DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance Unspecified
2
The Wyrmspy Malware is associated with Winnti. WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without useUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Group Threat Actor is associated with Winnti. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers aUnspecified
5
The I-Soon Threat Actor is associated with Winnti. i-Soon, also known as Anxun, is a threat actor identified as a private industry contractor for the Chinese Ministry of Public Security (MPS). The company has recently been implicated in a massive data leak that surfaced on Github. As elaborated by Tom Uren and Catalin Cimpanu, i-Soon frequently initUnspecified
3
The Volt Typhoon Threat Actor is associated with Winnti. Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environmentsUnspecified
3
The APT31 Threat Actor is associated with Winnti. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis byUnspecified
2
The Redhotel Threat Actor is associated with Winnti. RedHotel is a prolific threat actor group, known for its espionage activities targeting organizations of interest to the Chinese government. The group has been active since at least 2019 and operates alongside other threat groups such as RedAlpha and Poison Carp. Researchers at Recorded Future have Unspecified
2
Source Document References
Information about the Winnti Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago
DARKReading
4 months ago
DARKReading
5 months ago
DARKReading
5 months ago
Securityaffairs
6 months ago
Unit42
7 months ago
CERT-EU
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
Trend Micro
10 months ago
Unit42
10 months ago
CERT-EU
10 months ago
DARKReading
10 months ago
CERT-EU
10 months ago
BankInfoSecurity
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago