Winnti Group

Threat Actor updated 2 months ago (2024-06-30T18:17:36.974Z)
Download STIX
Preview STIX
The Winnti Group, a collective of Chinese Advanced Persistent Threat (APT) groups including APT41, first gained notoriety for its attacks on computer game developers. The group was initially spotted by Kaspersky in 2013, but researchers suggest that this nation-state actor has been active since at least 2007. Known for their malicious activities, the Winnti Group has also been linked with other threat actor groups such as Hafnium, LuckyMouse, Tick, Calypso, and Hive0088, which are believed to be sponsored by the Chinese state. The group has been attributed to various cyber threats, including malware command and control through GitHub, as reported by Trend Micro. The group's infamous toolsets include PlugX, Mimikatz, and ShadowPad. The PlugX Command and Control (C&C) servers have been identified as back.rooter[.]tk and mm.portomnail[.]com. The group has used Mimikatz, a potent hacking tool, identified by the hashes 33C7C049967F21DA0F1431A2D134F4F1DE9EC27E and A0B86104E2D00B3E52BDA5808CCEED9842CE2CEA. In August 2021, SentinelLabs reported an IP address used as a ShadowPad C2 server, attributing it to the Winnti Group. The Winnti Group's activities have had significant impacts worldwide. Notably, Taiwan has accused the group of being behind a ransomware attack on its state oil company. Furthermore, Novetta released a report in 2014 detailing "Operation SMN," a large-scale malware eradication operation tied to the original Winnti Group. This evidence suggests that the group is not only capable of sophisticated cyberattacks but also poses a substantial threat to global cybersecurity.
Description last updated: 2024-06-30T18:16:10.945Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT41
3
APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
Calypso
3
Calypso is a notable threat actor group, potentially linked to the Chinese state-sponsored threat actor group APT41, alongside other groups such as Hafnium, LuckyMouse, Tick, and Winnti Group. This group has been involved in various cyber espionage campaigns using sophisticated tools like Win32/Korp
LuckyMouse
2
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
State Sponso...
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
ShadowPadUnspecified
2
ShadowPad is a modular malware that has been utilized by various Chinese threat actors since at least 2017. It's a malicious software designed to infiltrate computer systems, often without the user's knowledge, and can cause significant damage by stealing personal information, disrupting operations,
PipeMonUnspecified
2
PipeMon is a sophisticated, modular backdoor malware discovered in February 2020. It is attributed to the Winnti Group, known for their cyber espionage activities. This malware uses multiple named pipes for inter-module communication, hence its name "PipeMon". Its first stage consists of a password-
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
WinntiUnspecified
5
The Winnti Group is a sophisticated threat actor that has been active since at least 2007, first identified by Kaspersky in 2013. This collective of Chinese nation-state hackers is known for its advanced cyberespionage capabilities and its unique strategy of targeting legitimate software supply chai
Source Document References
Information about the Winnti Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
9 months ago
Taiwan Calls on US Support to Defend Banks Against Hacking | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker
Securityaffairs
2 months ago
Russia-linked group APT29 likely breached TeamViewer
CERT-EU
6 months ago
Anxun and Chinese APT Activity - ReliaQuest
Unit42
7 months ago
Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns
CERT-EU
8 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of CPC Corporation
SecurityIntelligence.com
10 months ago
X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021
CERT-EU
10 months ago
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of CPC Corporation
DARKReading
a year ago
China's Winnti APT Compromises National Grid in Asia for 6 Months
CERT-EU
a year ago
Matthieu Faou | WeLiveSecurity
MITRE
2 years ago
Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
MITRE
2 years ago
Winnti. More than just a game
MITRE
2 years ago
Games are over: Winnti is now targeting pharmaceutical companies
MITRE
2 years ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
2 years ago
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
MITRE
2 years ago
No “Game over” for the Winnti Group | WeLiveSecurity
CERT-EU
a year ago
Higaisa or Winnti? APT41 backdoors, old and new
CERT-EU
a year ago
Space Pirates: analyzing the tools and connections of a new hacker group