Group description: Winnti Group

Winnti Group, Blackfly, Group G0044 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Winnti Group Winnti Group Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. [1] [2] [3] Some reporting suggests a number of other groups, including Axiom , APT17 , and Ke3chang , are closely linked to Winnti Group . [4] ID: G0044 ⓘ Associated Groups : Blackfly Contributors : Edward Millington Version : 1.2 Created: 31 May 2017 Last Modified: 16 April 2025 Version Permalink Live Version Associated Group Descriptions Name Description Blackfly [5] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1583 .001 Acquire Infrastructure : Domains Winnti Group has registered domains for C2 that mimicked sites of their intended targets. [1] Enterprise T1083 File and Directory Discovery Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts. [1] Enterprise T1105 Ingress Tool Transfer Winnti Group has downloaded an auxiliary program named ff.exe to infected machines. [1] Enterprise T1057 Process Discovery Winnti Group looked for a specific process running on infected servers. [1] Enterprise T1014 Rootkit Winnti Group used a rootkit to modify typical server functionality. [1] Enterprise T1553 .002 Subvert Trust Controls : Code Signing Winnti Group used stolen certificates to sign its malware. [1] Software ID Name References Techniques S0501 PipeMon [6] Abuse Elevation Control Mechanism : Bypass User Account Control , Access Token Manipulation : Create Process with Token , Access Token Manipulation : Parent PID Spoofing , Boot or Logon Autostart Execution : Print Processors , Create or Modify System Process : Windows Service , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Fallback Channels , Ingress Tool Transfer , Masquerading : Match Legitimate Resource Name or Location , Modify Registry , Native API , Non-Application Layer Protocol , Obfuscated Files or Information : Encrypted/Encoded File , Obfuscated Files or Information : Fileless Storage , Process Discovery , Process Injection : Dynamic-link Library Injection , Shared Modules , Software Discovery : Security Software Discovery , Subvert Trust Controls : Code Signing , System Information Discovery , System Network Configuration Discovery , System Time Discovery S0013 PlugX [1] Application Layer Protocol : Web Protocols , Application Layer Protocol : DNS , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data Staged : Local Data Staging , Debugger Evasion , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Execution Guardrails : Mutual Exclusion , Exfiltration Over C2 Channel , File and Directory Discovery , Hide Artifacts : Hidden Files and Directories , Hide Artifacts : Hidden Window , Hijack Execution Flow : DLL , Impair Defenses : Disable or Modify System Firewall , Indicator Removal : Clear Persistence , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Local Storage Discovery , Masquerading : Masquerade Task or Service , Masquerading : Match Legitimate Resource Name or Location , Modify Registry , Native API , Network Share Discovery , Non-Application Layer Protocol , Non-Standard Port , Obfuscated Files or Information : Binary Padding , Obfuscated Files or Information : Dynamic API Resolution , Obfuscated Files or Information , Obfuscated Files or Information : Encrypted/Encoded File , Peripheral Device Discovery , Process Discovery , Query Registry , Reflective Code Loading , Replication Through Removable Media , Scheduled Task/Job : Scheduled Task , Screen Capture , System Information Discovery , System Location Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery , System Time Discovery , Trusted Developer Utilities Proxy Execution : MSBuild , User Execution : Malicious File , Virtualization/Sandbox Evasion : System Checks , Web Service : Dead Drop Resolver S0141 Winnti for Windows [1] [2] Abuse Elevation Control Mechanism : Bypass User Account Control , Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Create or Modify System Process : Windows Service , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Execution Guardrails : Environmental Keying , File and Directory Discovery , Indicator Removal : File Deletion , Indicator Removal : Timestomp , Ingress Tool Transfer , Masquerading : Match Legitimate Resource Name or Location , Native API , Non-Application Layer Protocol , Obfuscated Files or Information : Compression , Obfuscated Files or Information : Encrypted/Encoded File , Process Discovery , Proxy : External Proxy , Proxy : Internal Proxy , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Services : Service Execution References Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018. DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. × load more results