Winnti for Windows

Winnti for Windows is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware. [1] [2] [3] The Linux variant is tracked separately under Winnti for Linux.[4]

ID: S0141
Platforms: Windows
Version: 2.0
Created: 31 May 2017
Last Modified: 04 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.[2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[2]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

The Winnti for Windows installer loads a DLL using rundll32.[2]

Groups That Use This Software

ID Name References
G0044 Winnti Group