← threatfilter.dev / all groups / Winnti Group

Winnti Group

Also known as: Blackfly

Overview

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.

Targets

Automotive · Business · Cryptocurrency · Education · Energy · Finance · Healthcare · High-Tech · Intergovernmental · Media · Pharmaceuticals · Private sector · Retail · Services · Telecommunications · Travel

Regions

China · France · Hong Kong · India · Italy · Japan · Myanmar · Netherlands · Singapore · South Africa · South Korea · Switzerland · Thailand · Turkey · United Kingdom · United States

Capabilities

Custom malware/implant development — ATT&CK: 3 attributed custom malware families

TTPs — 6 techniques across 5 tactics

Resource Development

T1583.001 Domains

Stealth

T1014 Rootkit

Tools & malware (3)

PipeMon · Winnti for Windows · PlugX

Reporting (3)

Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers — Hegel, T
Suckfly: Revealing the secret life of your code signing certificates — DiMaggio, J
Games are over: Winnti is now targeting pharmaceutical companies — Tarakanov, D