Winnti Group

Threat Actor updated 2 months ago (2024-10-08T12:00:54.771Z)
Download STIX
Preview STIX
The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers and has been linked to several other advanced persistent threat (APT) groups such as APT41, Hafnium, LuckyMouse, Tick, Calypso, and Hive0088. The Winnti Group's activities include exploiting backdoor access to servers, utilizing malware command and control systems, and engaging in ransomware attacks. Notably, Taiwan implicated the Winnti Group in a ransomware attack on its state oil company. The Winnti Group has utilized various sophisticated tools and techniques in their operations. They are known for using PlugX C&C servers, such as back.rooter[.]tk and mm.portomnail[.]com, and they have been attributed with the use of the Win64/HackTool.Mimikat.A Mimikatz, a powerful tool for credential theft. Furthermore, SentinelLabs reported that an IP address used as a ShadowPad C2 server in August 2021 was attributed to the Winnti Group. The group's involvement in the development of known toolsets was further confirmed by links to an entity named i-Soon. Several significant investigations and reports have detailed the Winnti Group's activities. In 2013, Kaspersky Lab reported technical details about the original Winnti Group and their methods. In 2014, Novetta released a report on "Operation SMN," a large-scale malware eradication operation linked to the original Winnti Group. Trend Micro also reported on attacks that abused GitHub for use in malware command and control, attributing these to the original Winnti Group. These reports highlight the group's persistent and evolving threat to cybersecurity.
Description last updated: 2024-10-08T11:31:04.694Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT41 is a possible alias for Winnti Group. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi
3
Calypso is a possible alias for Winnti Group. Calypso is a recognized threat actor, likely linked to the Chinese state-sponsored group APT41. Other groups possibly connected to this network include Hafnium, LuckyMouse, Tick, Calypso, and Winnti Group (tracked by X-Force as Hive0088). Calypso has been associated with various malicious activities
3
LuckyMouse is a possible alias for Winnti Group. LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
State Sponso...
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ShadowPad Malware is associated with Winnti Group. ShadowPad is a sophisticated malware, known for its modular backdoor capabilities, that has been popular among Chinese threat actors for over seven years. It is designed to infiltrate systems often through suspicious downloads, emails, or websites, and once inside, it can steal personal information,Unspecified
2
The PipeMon Malware is associated with Winnti Group. PipeMon is a sophisticated, modular backdoor malware discovered in February 2020. It is attributed to the Winnti Group, known for their cyber espionage activities. This malware uses multiple named pipes for inter-module communication, hence its name "PipeMon". Its first stage consists of a password-Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Threat Actor is associated with Winnti Group. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such Unspecified
5
Source Document References
Information about the Winnti Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
Securityaffairs
5 months ago
CERT-EU
9 months ago
Unit42
9 months ago
CERT-EU
10 months ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago