Winnti

Threat Actor Profile Updated 23 days ago
Download STIX
Preview STIX
Winnti, also known as Starchy Taurus, APT41, Axiom, Barium, Blackfly, and HOODOO, is a prominent threat actor originating from China. The group has been active since at least 2007 and is notorious for its sophisticated cyberespionage campaigns. The group's activities have been linked to a shared Chinese Advanced Persistent Threat (APT) operational infrastructure used exclusively by Chinese nation-state threat actors, such as Iron Taurus (aka APT27) and Stately Taurus (aka Mustang Panda). Winnti's malicious actions are characterized by the use of PipeMon malware, which was found in companies compromised by the group, and several Command & Control (C&C) domains used by this malware were previously associated with Winnti in earlier campaigns. The group's extensive arsenal includes the ShadowPad and Winnti malware families, both of which have been referenced in multiple sources including i-SOON’s product whitepapers and the US Justice Department’s indictment of APT41. In addition, the group has been linked to the development of known Winnti toolsets, further solidifying their association with these malware families. SentinelLabs reported that an IP address, used as a ShadowPad C2 server in August 2021, was attributed to the Winnti group, providing further evidence of their activities. Winnti remains an active threat, with numerous reports of attacks on various entities, including DAX companies Siemens, BASF, and Henkel. Additionally, there have been indications of the group's continued activity in regions such as Hong Kong and Taiwan. The group's persistent operations, coupled with their advanced tools and techniques, make them a significant cybersecurity concern. Therefore, it is crucial for organizations to maintain robust security measures and stay updated on the latest threat intelligence related to this group.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT41
5
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, among other names, is a threat actor suspected to originate from China. With potential ties to the Chinese government, APT41 has been involved in complex cyber espionage operations since at least 2012, targeting organizations in at least
Barium
4
Barium, also known as BRONZE ATLAS, APT41, TA415, and part of the Winnti Group, is a China-linked cyberespionage threat actor that has been active since at least 2007. Notable for its deployment of sophisticated malware such as ShadowPad and KEYPLUG, Barium has been implicated in numerous cyber atta
Axiom
3
Axiom is a recognized threat actor, also known as a hacking team, that has been associated with malicious activities. The group has ties to the Chinese intelligence apparatus and has operated under various names such as Winnti, PassCV, APT17, LEAD, BARIUM, Wicked Panda, and GREF. The naming conventi
Blackfly
2
Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
APT17
2
APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.
Bronze Atlas
1
Bronze Atlas, also known as APT41, Winnti Group, or HOODOO, is a significant threat actor identified in the cybersecurity industry. The group has been involved in various malicious activities and has been tracked by Secureworks' Counter Threat Unit since at least 2007. According to Marc Burnard, a s
Ta428
1
TA428 is a sophisticated malware toolkit associated with several cyber threat groups, including Bronze Union (also known as LuckyMouse or APT27) and BackdoorDiplomacy. The TA428 toolkit includes various malicious software like Albaniiutas (RemShell), which is specifically mentioned in an ESET report
Greyfly
1
None
Redfly
1
RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significan
Red Echo
1
Red Echo, also known as Redfly, is a subgroup within the larger threat actor group Winnti. This group has been identified as responsible for a series of cyber-attacks with malicious intent, targeting various entities globally. In a recent campaign, Red Echo managed to infiltrate and occupy the netwo
Taurus
1
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
GREF
1
GREF, a China-aligned Advanced Persistent Threat (APT) group, has been identified as the orchestrator of two active Android malware campaigns. The campaigns have been distributing a malicious software called BadBazaar via two applications, Signal Plus Messenger and FlyGram, through the Google Play s
KEYPLUG
1
Keyplug is a modular backdoor malware written in C++, capable of supporting multiple network protocols for command and control (C2) traffic. This includes HTTP, TCP, KCP over UDP, and WSS. It was heavily used by APT41, also known as RedGolf, Winnti, Wicked Panda, Bronze Atlas, and Barium, a Chinese
svchost.exe
1
Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di
Redgolf
1
RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the
Wicked Panda
1
Wicked Panda, also known as APT41, Double Dragon, and Bronze Atlas, is a state-sponsored threat actor originating from China, recognized for its dual espionage and cybercrime operations. The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center has identified Wicke
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Linux
Espionage
Apt
Backdoor
Windows
Chinese
State Sponso...
Cobalt Strike
Implant
Android
Exploit
Trojan
Payload
Europe
Manufacturing
Asia
China
Beacon
Ransomware
Taiwan
Poc
Phishing
Proxy
RCE (Remote ...
Github
Loader
Malware Impl...
Remote Code ...
Encryption
Injector
Rootkit
Shellcode
Rat
Facebook
Microsoft
Webshell
Evasive
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ShadowPadUnspecified
7
ShadowPad is a modular backdoor malware that has been utilized by multiple Chinese threat groups since 2017. It was used as the payload in a supply chain attack targeting South Asian governments, as detailed in a VB2023 paper. The malware's operations are often facilitated through legitimate utiliti
PlugXUnspecified
4
PlugX is a notorious malware, often used by various threat groups in their cyberattacks. It has been linked to several high-profile activities, such as those of the Winnti group and the LockFile ransomware activity. This Remote Access Trojan (RAT) employs sophisticated techniques like DLL side-loadi
DragonEggUnspecified
2
DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance
WyrmspyUnspecified
2
WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
PipeMonUnspecified
2
PipeMon is a sophisticated, modular backdoor malware discovered in February 2020. It is attributed to the Winnti Group, known for their cyber espionage activities. This malware uses multiple named pipes for inter-module communication, hence its name "PipeMon". Its first stage consists of a password-
SprysocksUnspecified
1
SprySOCKS is a malicious software, or malware, that was discovered as part of the arsenal of Earth Lusca, a China-nexus threat actor. This malware is specifically designed to exploit and damage Linux systems. It can infect these systems through suspicious downloads, emails, or websites, often withou
HDoorUnspecified
1
HDoor is a malicious software (malware) that has been publicly available in Chinese forums since 2008. This malware, equipped with full backdoor capabilities, allows operators to perform a variety of tasks, making it a potent threat to computer systems. It can infect systems through suspicious downl
gh0st RATUnspecified
1
Gh0st RAT, short for Ghost Remote Access Trojan, is a type of malware that was originally developed by the C. Rufus Security Team in China. It is known for its ability to infiltrate systems and steal personal information or disrupt operations. Due to a leakage in 2008, Gh0st RAT's source code has be
Iron TaurusUnspecified
1
Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio
Stately TaurusUnspecified
1
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a potent malware linked to Chinese Advanced Persistent Threat (APT) activities. The first signs of its operation date back to at least 2012, with notable activity traced to Marc
Paranoid PlugxUnspecified
1
Paranoid PlugX is a sophisticated malware designed to exploit and damage computer systems, often infiltrating without the user's knowledge. It typically enters a system through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even
Gh0stcringeUnspecified
1
Gh0stCringe is a variant of Gh0st RAT, a notorious malware that has been used in numerous cyber attacks. This malicious software is designed to exploit and damage computers or devices by infiltrating the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once in
Brute RatelUnspecified
1
Brute Ratel is a malicious software (malware) that has been utilized by cybercriminals to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Brute Ratel can steal personal in
KONNIUnspecified
1
Konni is a type of malware, malicious software designed to infiltrate and damage computer systems without the user's knowledge. It can infect systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage f
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Winnti GroupUnspecified
4
The Winnti Group, a collective of several Chinese Advanced Persistent Threat (APT) groups including APT41, is renowned for its malicious cyber activities. First gaining notoriety for its attacks on computer game developers, the group has since been linked to high-level cyber espionage conducted by t
I-SoonUnspecified
3
i-SOON, a threat actor believed to be operating out of China, has come into the limelight due to a significant data leak. The leaked documents provide an inside view of i-SOON's operations, revealing its role in executing cyberespionage campaigns on behalf of various Chinese government agencies. Thi
Mustang PandaUnspecified
3
Mustang Panda, also known as Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Red Delta, and Stately Taurus, is a Chinese-aligned threat actor group that has been active since at least March 2022. Initially targeting the Asia-Pacific region, Mustang Panda has expanded its activities to E
RedhotelUnspecified
2
RedHotel, also known as Aquatic Panda, ControlX, and Bronze University, is a prolific espionage group that targets organizations of interest to the Chinese government. The group has been linked to Chinese state-sponsored hacking groups such as RedAlpha, Poison Carp, and APT27 (aka Budworm, LuckyMous
Earth LuscaUnspecified
2
Earth Lusca is a significant threat actor that has recently expanded its malicious arsenal with the SprySOCKS Linux malware, posing an increased risk to global cybersecurity. This group is known for executing actions with harmful intent, and could be composed of individuals, private companies, or go
Volt TyphoonUnspecified
1
Volt Typhoon is a threat actor associated with the Chinese government, known for its sophisticated cyber espionage campaigns targeting critical infrastructure in the US. The group has demonstrated strong operational security and advanced techniques for reconnaissance and lateral movement, as evidenc
NaikonUnspecified
1
Naikon is a recognized threat actor, essentially a group or entity responsible for executing actions with malicious intent. Various research organizations have reported that this Chinese Advanced Persistent Threat (APT) group has been used by multiple other groups such as Growing Taurus and Parched
APT27Unspecified
1
APT27, also known as Iron Taurus, is a threat actor suspected to be originating from China. The group primarily engages in cyber operations with the goal of intellectual property theft, targeting organizations globally including those in North and South America, Europe, and the Middle East. APT27 ut
Goblin PandaUnspecified
1
Goblin Panda is a recognized threat actor, known for its malicious activities in the cyber world. Various research organizations have indicated that several Chinese Advanced Persistent Threat (APT) groups such as Growing Taurus (aka Naikon) and Parched Taurus (aka Goblin Panda) have leveraged this t
CrosswalkUnspecified
1
Crosswalk, a threat actor in the cybersecurity industry, has been identified as utilizing FakeTLS in its traffic, presenting significant security concerns. This modular backdoor is implemented in shellcode, with the main payload being the Crosswalk backdoor itself. The malicious files associated wit
HigaisaUnspecified
1
Higaisa is a threat actor, or hacking group, believed to have its origins in South Korea according to Tencent's analysis. The group has been identified as targeting primarily North Korean government and trade organizations, but it has also extended its operations to China, Japan, Russia, Poland, and
APT1Unspecified
1
APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to tak
TickUnspecified
1
Tick is a threat actor, likely originating from the People's Republic of China, that has been associated with malicious activities in cyberspace. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have investigated the activities of this group, also known as BRONZE BUTLER. T
LuckyMouseUnspecified
1
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
CalypsoUnspecified
1
Calypso is a notable threat actor group, potentially linked to the Chinese state-sponsored threat actor group APT41, alongside other groups such as Hafnium, LuckyMouse, Tick, and Winnti Group. This group has been involved in various cyber espionage campaigns using sophisticated tools like Win32/Korp
Night DragonUnspecified
1
Night Dragon is a recognized threat actor, a term used in cybersecurity to denote an individual or group that carries out malicious activities. These entities can range from single individuals to large organizations or even government bodies. Night Dragon has been associated with several significant
TeamTNTUnspecified
1
TeamTNT, a threat actor group known for its malicious activities, has been implicated in a series of sophisticated attacks on Kubernetes, one of the most complex to date. The group is notorious for deploying malware, specifically the Hildegard malware, which was identified during a new campaign. The
ScarCruftUnspecified
1
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
GamaredonUnspecified
1
Gamaredon is a threat actor, or hacking team, believed to be Russian in origin and has been actively tracked since 2013. The group primarily targets Ukraine using malicious documents that deliver a range of home-brewed malware. The European Union's Computer Emergency Response Team (EU CERT) cites Ga
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Winnti Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Higaisa or Winnti? APT41 backdoors, old and new
MITRE
a year ago
Winnti. More than just a game
MITRE
a year ago
Detecting threat actors in recent German industrial attacks with Windows Defender ATP - Microsoft Security Blog
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
a year ago
Games are over: Winnti is now targeting pharmaceutical companies
CERT-EU
7 months ago
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
MITRE
a year ago
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
MITRE
a year ago
No “Game over” for the Winnti Group | WeLiveSecurity
MITRE
a year ago
Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
Unit42
9 months ago
Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
CERT-EU
a year ago
Space Pirates: analyzing the tools and connections of a new hacker group
CERT-EU
8 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of CPC Corporation
DARKReading
9 months ago
China's Winnti APT Compromises National Grid in Asia for 6 Months
CERT-EU
5 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of CPC Corporation
Securityaffairs
a year ago
New Mélofée Linux malware linked to Chinese APT groups
Unit42
4 months ago
Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns
CERT-EU
3 months ago
WinNTI hacker attack on another DAX company detected
DARKReading
a year ago
China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP
CERT-EU
7 months ago
Tom "Hollywood" Hegel - ProtectWise 401TRG
Unit42
23 days ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia