Check out the results from our first round of ATT&CK Evaluations at!


Winnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware. [1] [2] [3]

ID: S0141
Aliases: Winnti
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1036MasqueradingA Winnti implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[2]
EnterpriseT1050New ServiceWinnti sets its DLL file as a new service in the Registry to establish persistence.[2]
EnterpriseT1085Rundll32The Winnti installer loads a DLL using rundll32.[2]


Groups that use this software:

Winnti Group