The sub-techniques beta is now live! Read the release blog post for more info.

Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. [1] [2] [3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group. [4]

ID: G0044
Associated Groups: Blackfly
Contributors: Edward Millington
Version: 1.0
Created: 31 May 2017
Last Modified: 25 March 2019

Associated Group Descriptions

Name Description
Blackfly [5]

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing

Winnti Group used stolen certificates to sign its malware.[1]

Enterprise T1057 Process Discovery

Winnti Group looked for a specific process running on infected servers.[1]

Enterprise T1014 Rootkit

Winnti Group used a rootkit to modify typical server functionality.[1]


ID Name References Techniques
S0141 Winnti [1] [2] Masquerading, New Service, Rundll32