Winnti Group

Threat Actor updated 10 days ago (2024-10-08T12:00:54.771Z)
Download STIX
Preview STIX
The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers and has been linked to several other advanced persistent threat (APT) groups such as APT41, Hafnium, LuckyMouse, Tick, Calypso, and Hive0088. The Winnti Group's activities include exploiting backdoor access to servers, utilizing malware command and control systems, and engaging in ransomware attacks. Notably, Taiwan implicated the Winnti Group in a ransomware attack on its state oil company. The Winnti Group has utilized various sophisticated tools and techniques in their operations. They are known for using PlugX C&C servers, such as back.rooter[.]tk and mm.portomnail[.]com, and they have been attributed with the use of the Win64/HackTool.Mimikat.A Mimikatz, a powerful tool for credential theft. Furthermore, SentinelLabs reported that an IP address used as a ShadowPad C2 server in August 2021 was attributed to the Winnti Group. The group's involvement in the development of known toolsets was further confirmed by links to an entity named i-Soon. Several significant investigations and reports have detailed the Winnti Group's activities. In 2013, Kaspersky Lab reported technical details about the original Winnti Group and their methods. In 2014, Novetta released a report on "Operation SMN," a large-scale malware eradication operation linked to the original Winnti Group. Trend Micro also reported on attacks that abused GitHub for use in malware command and control, attributing these to the original Winnti Group. These reports highlight the group's persistent and evolving threat to cybersecurity.
Description last updated: 2024-10-08T11:31:04.694Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT41 is a possible alias for Winnti Group. APT41, also known as Winnti, Wicked Panda, and Brass Typhoon, is a threat actor suspected to be linked to China. This group has been active since at least 2012 and has targeted organizations in over 14 countries. They have used a variety of sophisticated techniques and malware, including at least 46
3
Calypso is a possible alias for Winnti Group. Calypso is a recognized threat actor, likely linked to the Chinese state-sponsored group APT41. Other groups possibly connected to this network include Hafnium, LuckyMouse, Tick, Calypso, and Winnti Group (tracked by X-Force as Hive0088). Calypso has been associated with various malicious activities
3
LuckyMouse is a possible alias for Winnti Group. LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
State Sponso...
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ShadowPad Malware is associated with Winnti Group. ShadowPad is a malicious software (malware) that has been in use since at least 2017, particularly among Chinese threat actors. This modular backdoor malware is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data for ransom. It typUnspecified
2
The PipeMon Malware is associated with Winnti Group. PipeMon is a sophisticated, modular backdoor malware discovered in February 2020. It is attributed to the Winnti Group, known for their cyber espionage activities. This malware uses multiple named pipes for inter-module communication, hence its name "PipeMon". Its first stage consists of a password-Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Threat Actor is associated with Winnti Group. Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the AUnspecified
5
Source Document References
Information about the Winnti Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
10 months ago
Securityaffairs
4 months ago
CERT-EU
7 months ago
Unit42
8 months ago
CERT-EU
9 months ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago