Winnti

Threat Actor updated 22 days ago (2024-09-17T00:17:48.044Z)
Download STIX
Preview STIX
Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the APT41 collective, also known as Brass Typhoon, Wicked Panda, and Barium among others, which was indicted by the Department of Justice in 2020 for hacking over 100 companies globally. This Beijing-based hacking group is associated with multiple subgroups, including Wicked Panda, SuckFly, and Barium, all known for exfiltrating trade secrets, intellectual property, and other sensitive data from organizations in the US and numerous other countries. The group's operations have been traced back to a shared Chinese Advanced Persistent Threat (APT) operational infrastructure, utilized exclusively by Chinese nation-state threat actors such as Iron Taurus (aka APT27), Starchy Taurus (aka Winnti), and Stately Taurus (aka Mustang Panda). The Winnti group has been connected to Operation Diplomatic Specter, which used this shared infrastructure. Among the tools attributed to Winnti is PipeMon malware, found in various companies compromised by the group. Command & Control (C&C) domains used by PipeMon were previously used by Winnti malware in earlier campaigns, further solidifying the attribution to this group. Winnti has also been implicated in attacks against government organizations in Asia, Latin America, and other regions under the alias Earth Lusca. This subgroup is thought to be part of the broader Winnti collective of Chinese threat actors. Additionally, the group has been linked to the usage of the Winnti trojan malware in infecting systems of various companies, demonstrating their persistent and evolving threat landscape. Given the extensive and diverse nature of its operations, Winnti poses a significant threat to cybersecurity worldwide.
Description last updated: 2024-09-17T00:15:40.075Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT41 is a possible alias for Winnti. APT41, also known as Winnti, Wicked Panda, and Brass Typhoon, is a significant threat actor attributed to China. This group has been active since at least 2012 and has targeted organizations in over 14 countries. It uses a wide range of malware, with at least 46 different code families and tools obs
5
Barium is a possible alias for Winnti. Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according t
5
PlugX is a possible alias for Winnti. PlugX is a malicious software (malware) known for its stealthy operations. It has been linked to several cyberattacks, and its use has been attributed to various threat groups, including Winnti and MustangPanda. The malware leverages DLL side-loading to remain undetected, making it a potent tool in
4
Mustang Panda is a possible alias for Winnti. Mustang Panda, a known Chinese advanced persistent threat (APT) group, has been identified as the likely perpetrator behind a sophisticated, ongoing cyber-espionage campaign. The group, also known as Stately Taurus, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Camaro Dragon, has a 12-
3
Axiom is a possible alias for Winnti. Axiom is a recognized threat actor, also known as a hacking team, that has been associated with malicious activities. The group has ties to the Chinese intelligence apparatus and has operated under various names such as Winnti, PassCV, APT17, LEAD, BARIUM, Wicked Panda, and GREF. The naming conventi
3
Earth Lusca is a possible alias for Winnti. Earth Lusca, a threat actor identified as being Chinese-speaking, has been active since at least the first half of 2023. The group primarily targets organizations in Southeast Asia, Central Asia, and the Balkans. Recently, it has expanded its arsenal with SprySOCKS Linux malware, a new addition that
3
Wicked Panda is a possible alias for Winnti. Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a China state-sponsored threat actor identified by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center as one of the top cybersecurity threats. The group, which has been linked to multipl
2
Blackfly is a possible alias for Winnti. Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
2
APT17 is a possible alias for Winnti. APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Linux
Apt
Backdoor
Espionage
State Sponso...
Windows
Cobalt Strike
Chinese
Android
Implant
Trojan
Payload
Exploit
Exploits
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ShadowPad Malware is associated with Winnti. ShadowPad is a modular malware that has been utilized by various Chinese threat actors since at least 2017. It's a malicious software designed to infiltrate computer systems, often without the user's knowledge, and can cause significant damage by stealing personal information, disrupting operations,Unspecified
7
The Wyrmspy Malware is associated with Winnti. WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without useUnspecified
2
The PipeMon Malware is associated with Winnti. PipeMon is a sophisticated, modular backdoor malware discovered in February 2020. It is attributed to the Winnti Group, known for their cyber espionage activities. This malware uses multiple named pipes for inter-module communication, hence its name "PipeMon". Its first stage consists of a password-Unspecified
2
The DragonEgg Malware is associated with Winnti. DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Group Threat Actor is associated with Winnti. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers aUnspecified
5
The I-Soon Threat Actor is associated with Winnti. i-Soon, also known as Anxun, is a threat actor identified as a private industry contractor for the Chinese Ministry of Public Security (MPS). The company has recently been implicated in a massive data leak that surfaced on Github. As elaborated by Tom Uren and Catalin Cimpanu, i-Soon frequently initUnspecified
3
The Redhotel Threat Actor is associated with Winnti. RedHotel is a prolific threat actor group, known for its espionage activities targeting organizations of interest to the Chinese government. The group has been active since at least 2019 and operates alongside other threat groups such as RedAlpha and Poison Carp. Researchers at Recorded Future have Unspecified
2
Source Document References
Information about the Winnti Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
22 days ago
Securityaffairs
a month ago
DARKReading
a month ago
DARKReading
2 months ago
DARKReading
3 months ago
Securityaffairs
3 months ago
Unit42
5 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
Trend Micro
7 months ago
Unit42
7 months ago
CERT-EU
8 months ago
DARKReading
8 months ago
CERT-EU
8 months ago
BankInfoSecurity
8 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago