Check out the results from our first round of ATT&CK Evaluations at!

Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. [1] [2] [3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group. [4]

ID: G0044
Aliases: Winnti Group, Blackfly
Contributors: Edward Millington

Version: 1.0

Alias Descriptions

Winnti Group[1] [2]

Techniques Used

EnterpriseT1116Code SigningWinnti Group used stolen certificates to sign its malware.[1]
EnterpriseT1057Process DiscoveryWinnti Group looked for a specific process running on infected servers.[1]
EnterpriseT1014RootkitWinnti Group used a rootkit to modify typical server functionality.[1]


S0141WinntiMasquerading, New Service, Rundll32