Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. [1] [2] [3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group. [4]

ID: G0044
Contributors: Edward Millington

Version: 1.0

Associated Group Descriptions

NameDescription
Blackfly[5]

Techniques Used

DomainIDNameUse
EnterpriseT1116Code SigningWinnti Group used stolen certificates to sign its malware.[1]
EnterpriseT1057Process DiscoveryWinnti Group looked for a specific process running on infected servers.[1]
EnterpriseT1014RootkitWinnti Group used a rootkit to modify typical server functionality.[1]

Software

IDNameReferencesTechniques
S0141Winnti[1][2]Masquerading, New Service, Rundll32

References