Software: Winnti

From enterprise
Jump to: navigation, search
ID S0141
Aliases Winnti
Type Malware
Platform Windows

Winnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware.123

Techniques Used

  • Masquerading - A Winnti implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.2
  • New Service - Winnti sets its DLL file as a new service in the Registry to establish persistence.2


The following groups use this software: