Group: Winnti Group, Blackfly

From ATT&CK
Jump to: navigation, search
Winnti Group, Blackfly
Group
ID G0044
Aliases Winnti Group, Blackfly

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.123

Alias Descriptions

  • Blackfly - 4

Techniques Used

  • Code Signing - Winnti Group used stolen certificates to sign its malware.1
  • Process Discovery - Winnti Group looked for a specific process running on infected servers.1
  • Rootkit - Winnti Group used a rootkit to modify typical server functionality.1

Software