winnti-group

Winnti Group

also known as: APT41 BARIUM LEAD Double Dragon Wicked Panda Brass Typhoon Earth Baku Blackfly Grayfly RedGolf G0044

One of the most structurally complex designations in threat intelligence — "Winnti" refers to a shared malware family, a set of tactics, and a loose contractor network under Chinese intelligence direction rather than a single cohesive group. Microsoft broke it into BARIUM (gaming / multimedia targeting, personal financial gain) and LEAD (industrial espionage, government targeting under MSS direction), while FireEye assigned the umbrella APT41 designation. Active since at least 2007, the Winnti-linked contractor network has conducted some of the most consequential supply chain attacks in history — trojanizing CCleaner, ASUS LiveUpdate, NetSarang, and multiple video games to reach downstream targets — while simultaneously running financially motivated operations against the gaming industry for in-game currency and virtual goods.

attributed origin China — Chengdu, Sichuan (confirmed)

suspected sponsor MSS / PLA (contractor model)

first observed 2007 (publicly named 2013)

primary motivation Dual — Espionage (state) + Financial (personal)

primary targets Gaming, Tech, Healthcare, Pharma, Telecom, Government, Defense

countries targeted 20+ confirmed

mitre att&ck group G0044 (APT41) / G0096 (APT41 subgroup)

front company Chengdu 404 Network Technology

threat level Critical

Overview

The "Winnti Group" designation is one of the most frequently misused terms in threat intelligence. It does not refer to a single, unified threat actor. Kaspersky named it in 2013 after the Winnti malware family used in attacks on video game companies — at the time identifying what appeared to be one group. Subsequent research by 401TRG, ESET, Mandiant, and others revealed that multiple distinct teams were sharing Winnti malware, infrastructure, and tactics under Chinese intelligence direction — a contractor network that 401TRG began calling the "Winnti Umbrella."

The most significant analytical split was made by Microsoft — BARIUM and LEAD — and subsequently formalized under the APT41 designation by Mandiant/FireEye. BARIUM (associated with Tan Dailin alias "Withered Rose" and Zhang Haoran) focused on supply chain attacks against gaming and software companies, primarily for financial gain: stealing source code, code-signing certificates, and virtual currency. LEAD (associated with the Chengdu 404 Network Technology front company and individuals including Jiang Lizhi "BlackFox") conducted state-directed espionage against government, defense, healthcare, pharmaceutical, and telecommunications organizations. Both clusters shared ShadowPad — a modular backdoor that succeeded PlugX — as a flagship tool, and both have been attributed to operations in Chengdu.

In September 2020, the US Department of Justice unsealed indictments against five Chinese nationals and two Malaysian accomplices tied to APT41, putting public names to the Chengdu 404 front company and three of its principals: Zhang Haoran, Tan Dailin, Qian Chuan, Fu Qiang, and Jiang Lizhi. Despite the indictments, operations continued without significant disruption. The RevivalStone campaign documented by LAC in March 2024 against Japanese manufacturing, materials, and energy companies used an enhanced Winnti malware variant with new evasion techniques, confirming active operations through the present.

A critical technical characteristic of the Winnti network is the systematic theft and abuse of code-signing certificates from compromised software vendors. Valid certificates — stolen from gaming companies, software vendors, and hardware manufacturers — are used to sign malware payloads, bypassing driver-signing enforcement, endpoint detection, and application whitelisting controls. This certificate theft strategy also drives the group's targeting of software supply chain positions, which provide access to both certificates and the downstream update infrastructure needed for mass malware distribution.

active campaign — march 2024 (revivalstone)

LAC documented the RevivalStone campaign in March 2024, attributing it to Winnti (Earth Freybug subset of APT41) targeting Japanese manufacturing, materials, and energy sector organizations. The attack chain exploited SQL injection in an ERP system to deploy webshells (China Chopper, Behinder), then installed an enhanced Winnti malware variant with new Control Flow Flattening obfuscation, ChaCha20 encryption, and EDR evasion through legitimate DLL side-loading. The campaign spread laterally through a managed service provider using a shared account, propagating to three additional organizations. References to TreadStone (a Winnti controller also found in the I-Soon leak) and StoneV5 (suggesting Winnti version 5.0) were identified in the campaign artifacts.

Target Profile

Winnti-linked operators target two distinct categories simultaneously: state-directed espionage targets aligned with CCP geopolitical and economic policy, and financially motivated targets in the gaming and software industries for direct profit.

Gaming industry (financial motivation): The group's original and sustained financial target. Game developers, publishers, distributors, and gambling platforms — primarily in South Korea, Taiwan, Japan, and China — are targeted for virtual currency theft, source code, and code-signing certificates. Build orchestration servers are specifically targeted to enable poisoning of official game executables and reaching millions of players.
Software supply chain (dual motivation): Software vendors occupying trusted positions in enterprise update infrastructure are the highest-value targets. NetSarang (enterprise SSH software), CCleaner (2.2 million users), ASUS LiveUpdate (hundreds of thousands of machines), and multiple video game platforms have been successfully trojanized. The goal: reach downstream targets — particularly technology companies — who would otherwise be difficult to compromise directly.
Pharmaceutical and healthcare: Consistent with China's Made in China 2025 policy targeting pharmaceutical and biomedical sectors. Winnti attacks on healthcare and pharma organizations are assessed as state-directed IP theft to accelerate domestic pharmaceutical development and reduce China's dependence on Western drug imports.
Telecommunications: Telecom companies are targeted for call record data, infrastructure access, and surveillance capability. The group has targeted telecom networks in advance of Chinese officials traveling to affiliated countries, conducting reconnaissance for security purposes.
Government and defense: State-directed LEAD subgroup targets foreign government agencies, defense contractors, and military organizations aligned with China's geopolitical intelligence priorities. The Made in China 2025 alignment drives targeting of semiconductor, aerospace, and defense sectors.
Academia and think tanks: Universities and policy research organizations have been targeted for intellectual property and personnel tracking — including Hong Kong universities during the 2019 protests, where student protesters were among those whose institutions were compromised.
Geographic breadth: Confirmed operations in the US, Taiwan, India, Japan, South Korea, Australia, France, UK, Germany, Canada, Ireland, Brunei, Vietnam, Mongolia, Indonesia, Bangladesh, Thailand, Hong Kong, and China itself — 20+ countries documented across the known operational history.

Tactics, Techniques & Procedures

The Winnti network's TTPs span the full intrusion lifecycle, with particular sophistication in supply chain compromise, defense evasion through legitimate code signing, and long-duration stealth operations measured in months to years without detection.

mitre id	technique	description
T1195.002	Supply Chain Compromise — Software Distribution	The defining Winnti Umbrella capability. Software vendors are compromised at the build or distribution stage, allowing malicious code to be inserted into legitimate signed updates reaching millions of users. CCleaner (2.2M users, 2017), NetSarang (enterprise SSH, 2017), ASUS LiveUpdate (ShadowHammer, 2019), and multiple Asian video games have been successfully trojanized. The malware is selectively activated on a small subset of machines meeting criteria of interest — making mass detection near-impossible.
T1553.002	Code Signing Certificate Theft and Abuse	A primary objective of gaming and software company intrusions. Stolen code-signing certificates are used to sign malware payloads — granting them trust in driver-signing enforcement, EDR allowlists, and application control policies. Certificates stolen from a video game company compromised in 2018 were still in use in 2020 ESET-documented campaigns. Certificate validity is the primary enabler of kernel-level malware loading.
T1190	Exploit Public-Facing Application	Winnti operators exploit vulnerabilities in internet-facing applications for initial access, including SQL injection in ERP systems (RevivalStone 2024), CVE-2019-19781 (Citrix ADC), CVE-2020-10189 (Zoho ManageEngine), CVE-2019-11510 (Pulse VPN), and ProxyLogon/ProxyShell Microsoft Exchange vulnerabilities. The 2020–2021 wave of exploitation documented in the DOJ indictment used zero-days in enterprise software at scale across hundreds of organizations simultaneously.
T1071.001	C2 — Microsoft Graph API (CUNNINGPIGEON)	Recent Winnti campaigns documented by Trend Micro use the CUNNINGPIGEON backdoor, which fetches commands from mail messages via the Microsoft Graph API. This technique routes C2 traffic through legitimate Microsoft cloud infrastructure — making it indistinguishable from normal Microsoft 365 service traffic at the network perimeter level and bypassing domain-reputation-based blocking.
T1543.003	PRIVATELOG / STASHLOG — CLFS Payload Hiding	The Cybereason-documented Operation CuckooBees campaign revealed Winnti hiding payloads in Windows Common Log File System (CLFS) log files using custom malware called STASHLOG. CLFS uses a proprietary undocumented file format only accessible through Windows API functions — making forensic recovery of hidden payloads extremely difficult. PRIVATELOG (the loader) reads CLFS files to extract and execute the next-stage payload entirely from memory.
T1055	Process Injection / Kernel Rootkit (WINNKIT)	The full Winnti malware deployment chain culminates in WINNKIT — a kernel-level rootkit that intercepts TCPIP communications and creates covert channels with infected endpoints within the intranet. Deployed via the Winnti Loader (PRIVATELOG) executing the Winnti RAT (DEPLOYLOG), which then installs the rootkit via a rootkit installer. Kernel-level persistence enables covert communications invisible to userspace monitoring tools.
T1574.002	DLL Side-Loading / EDR Evasion (UNAPIMON)	UNAPIMON — documented in RevivalStone and earlier campaigns — is a defense evasion utility that copies legitimate Windows DLL files to the System32 folder and loads them to bypass EDR product hooking. The Winnti Loader copies required DLLs with randomized filenames (e.g., _syFig.dll, _TcsTgyqmk.dll), uses them for operation, then deletes the copies. Control Flow Flattening (CFF) obfuscation is used to complicate static analysis of malware components.
T1560	Data Exfiltration / IP Theft	Target data includes source code, code-signing certificates, customer databases, personally identifiable information, financial records, pharmaceutical research, and government documents. Operation CuckooBees recovered evidence of three years of undetected IP theft from a single multinational technology company. In gaming targets, virtual currency and in-game item databases are directly manipulated for financial gain.
T1072	Build Environment / MSP Compromise	Build orchestration servers at software developers are a documented priority target — compromising the automated build system allows arbitrary code insertion into compiled executables before signing and distribution. In the RevivalStone campaign, a managed service provider was breached via a shared account, then used as a propagation vector to reach three additional victim organizations — demonstrating the multiplier effect of MSP compromise.
T1078	Valid Accounts / Credential Abuse	Long-duration campaigns harvest credentials through LSASS dumping (Mimikatz), Kerberoasting, and web shell access. Shared accounts across MSP client environments are specifically exploited for lateral propagation. The RevivalStone campaign used credentials harvested during reconnaissance for lateral movement to the MSP and onward to client organizations.

Known Campaigns

Selected operations across the Winnti network's documented 15+ year operational history, illustrating the evolution from gaming-focused financial crime through large-scale supply chain poisoning to state-directed industrial espionage.

Video Game Industry — Source Code and Certificate Theft 2012–present

The foundational BARIUM-attributed operation type, running continuously since at least 2012. Gaming developers in South Korea, Taiwan, Japan, and China are compromised for three primary objectives: virtual currency manipulation for direct financial theft, source code exfiltration for reverse engineering and competitive intelligence, and code-signing certificate theft for use in subsequent malware campaigns. Build server compromises allow malicious code injection into official game executables, reaching player populations of millions. ESET documented active campaigns against Korean and Taiwanese MMO game developers in 2020, including a case where attackers controlled the build orchestration server.

NetSarang ShadowPad Supply Chain Attack 2017

Winnti/BARIUM compromised NetSarang, a South Korean company whose Xmanager and Xshell products are used by IT administrators at financial institutions, energy companies, and governments worldwide. A backdoored version of the software containing ShadowPad malware was distributed through the official NetSarang update mechanism. The malware was selectively activated on systems in finance, pharmaceuticals, and government — demonstrating the group's ability to reach high-security environments through their trusted third-party software supply chains. The campaign was discovered by Kaspersky after a financial institution's unusual DNS queries triggered investigation.

CCleaner Supply Chain Attack 2017

Winnti/BARIUM compromised Piriform (then owned by Avast), inserting a backdoor into CCleaner version 5.33 distributed to approximately 2.2 million users through the official update server. The malware performed a second-stage payload activation only on systems belonging to a hardcoded list of technology companies including ASUS, Cisco, HTC, Intel, Samsung, Sony, Taiwanese Semiconductor Manufacturing, and VMware — all valid initial access targets for supply chain staging or IP theft. Kaspersky later identified the same C2 infrastructure used in the ASUS ShadowHammer attack, suggesting the CCleaner compromise was used to map target environments for subsequent dedicated attacks.

ASUS ShadowHammer 2019

Kaspersky discovered that ASUS Live Update — the pre-installed firmware update tool on millions of ASUS laptops — was compromised with a malicious backdoor distributed through the official ASUS update servers, affecting an estimated 500,000 to 1 million machines. A second-stage payload was deployed only on machines whose MAC addresses appeared in a hardcoded target list of approximately 600 specific devices — almost certainly systems pre-identified from the CCleaner campaign data. The malware was signed with a legitimate ASUS code-signing certificate, making it indistinguishable from official updates to all security products checking signatures.

Hong Kong University Targeting — ShadowPad and Winnti 2019–2020

ESET documented Winnti Group compromises at multiple Hong Kong universities during the 2019 pro-democracy protests. The targeting — in the context of massive student-led demonstrations and university campus occupations — is assessed as state-directed surveillance tasking: identifying and tracking student protest organizers. At least five Hong Kong universities are believed to have been compromised using campaign-specific variants of ShadowPad and Winnti malware with C2 URLs incorporating the universities' names. The campaign demonstrated Chinese intelligence's use of the Winnti contractor network for domestic and semi-domestic political surveillance alongside foreign espionage.

Operation CuckooBees — Multi-Year Undetected IP Theft 2019–2022

Cybereason documented a Winnti campaign running undetected for at least three years inside a multinational technology company, stealing pharmaceutical research, proprietary manufacturing processes, R&D data, clinical trial documentation, and engineering blueprints. The attackers used a uniquely sophisticated infection chain: STASHLOG hiding payloads in Windows CLFS log files, PRIVATELOG as a loader reading the CLFS files, followed by DEPLOYLOG (Winnti RAT) and WINNKIT kernel rootkit deployment. The complete chain operated without detection for years, reflecting the deep operational security investment the group makes in long-duration high-value intrusions. Symantec tracked overlapping activity as "Blackfly" targeting the same sectors.

DOJ Indictments — Chengdu 404 Unmasked 2020

The US Department of Justice unsealed indictments in September 2020 against five Chinese nationals — Zhang Haoran, Tan Dailin, Qian Chuan, Fu Qiang, and Jiang Lizhi — and two Malaysian accomplices for APT41 activities against more than 100 companies across Australia, Brazil, China, France, Germany, India, Japan, South Korea, Sweden, Taiwan, the UK, and the US. The indictments identified Chengdu 404 Network Technology Company as the front company. Chengdu 404 had promoted itself as a white-hat network security firm conducting penetration testing, forensics, and defensive services — consistent with the Chinese contractor model where security firms provide legitimate services as cover for intelligence contracting. No arrests were made; all named individuals remain in China.

RevivalStone — Japanese Industrial Targeting 2024

LAC documented the RevivalStone campaign in March 2024, targeting Japanese manufacturing, materials, and energy sector companies — critical Made in China 2025 intelligence targets. The enhanced Winnti malware incorporated new evasion: Control Flow Flattening obfuscation, XOR and ChaCha20 encryption for string obfuscation, and UNAPIMON-style EDR evasion via legitimate DLL loading. The attack chain entered through SQL injection in an ERP system, deployed China Chopper and Behinder webshells, conducted reconnaissance, and installed Winnti. The campaign propagated through a managed service provider using a shared account to reach three additional victim organizations. References to TreadStone (found in the I-Soon leak) and StoneV5 confirm ongoing tooling development within the contractor network.

Tools & Malware

The Winnti network maintains one of the most extensive proprietary malware arsenals in Chinese APT operations, combining purpose-built tools with shared platforms like ShadowPad that are leased or provided to affiliated groups.

ShadowPad: The flagship modular backdoor of the Winnti network, and the successor to PlugX. A privately sold or shared platform rather than open-source — accessible to a limited set of Chinese intelligence-affiliated groups. Modular architecture allows remote deployment of new plugins without updating the core backdoor. Provides persistent access, credential theft, file operations, process management, and network tunneling. Used in CCleaner, NetSarang, ShadowHammer, and dozens of subsequent espionage campaigns. SentinelOne assessed the lead developer may have co-developed with PlugX author "whg."
Winnti RAT (DEPLOYLOG): The group's eponymous custom backdoor, first identified by Kaspersky in 2013. Provides remote access, file management, process injection, and covert TCPIP communication. In the RevivalStone campaign, uses a multi-stage loading process: Winnti Loader (PRIVATELOG) → Winnti RAT → Winnti Rootkit (WINNKIT). Continuously updated — StoneV5 references suggest version 5.0 in active development by 2024.
WINNKIT: A kernel-level rootkit deployed as the final stage of the Winnti malware chain. Intercepts TCPIP network interface communications and creates covert intranet channels between infected endpoints. Loaded by the Winnti RAT via a rootkit installer and requires kernel-signed driver privileges — enabled by stolen code-signing certificates.
PRIVATELOG / STASHLOG: A two-component stealth loading system documented in Operation CuckooBees. STASHLOG hides payloads in Windows Common Log File System (CLFS) log files — an undocumented binary format accessible only via Windows API. PRIVATELOG reads the CLFS files to extract and execute next-stage payloads entirely in memory, leaving no disk-based artifacts for traditional forensic recovery.
CUNNINGPIGEON: A backdoor using the Microsoft Graph API to fetch commands from mail messages — routing C2 traffic through Microsoft cloud infrastructure. Commands support file and process management and custom proxy operations. The use of Microsoft 365 infrastructure for C2 bypasses perimeter controls that rely on domain reputation or IP blocking.
WINDJAMMER: A rootkit with capabilities to intercept TCPIP network interface data and create covert channels between compromised endpoints within an intranet — enabling internal lateral movement detection evasion.
DEATHLOTUS: A passive CGI backdoor supporting file creation and command execution, deployed against web-facing servers for persistent access to compromised web infrastructure.
UNAPIMON: A defense evasion utility that copies legitimate Windows DLLs to circumvent EDR API hooking. Documented in both RevivalStone (2024) and earlier campaigns, indicating its continued operational utility. Files are renamed with underscore-prefixed randomized strings, used, then deleted to limit detection.
PlugX / Crosswalk / HIGHNOON: Additional RATs used across LEAD subgroup espionage operations, with PlugX tracing back to 2008 and still in operational use across Chinese APT groups sharing infrastructure with the Winnti network. Crosswalk is a modular backdoor documented in multiple Winnti campaigns.
China Chopper / Behinder webshells: Standard initial webshell deployment tools used post-exploitation on compromised web servers, documented in RevivalStone and multiple other campaigns. China Chopper is a minimal, widely shared tool with a tiny client-side component.

Indicators of Compromise

The Winnti network's long-duration stealth operations and extensive defense evasion make point-in-time IOCs unreliable as primary detection mechanisms. Behavioral detection is substantially more effective.

warning

Winnti-linked groups maintain multi-year undetected presence in victim environments by design. Network and host IOCs rotate between campaigns. Behavioral indicators below are more durable than specific hashes or domains. Organizations in targeted sectors should prioritize threat hunting for behavioral patterns over reactive IOC matching — the group's operational security means static IOCs are typically stale before they reach public threat intelligence feeds.

indicators of compromise — behavioral and structural

file path %SYSTEM32%\spool\prtprocs\x64\ — Winnti/PipeMon staging path (also used in CCleaner second stage)

behavior CLFS log file access via Windows API for payload storage (STASHLOG/PRIVATELOG chain)

behavior DLL files renamed _[5-9 random chars].dll in System32 — UNAPIMON EDR evasion pattern

behavior Microsoft Graph API authentication from non-user processes — CUNNINGPIGEON C2

behavior SessionEnv service abuse for persistence — Winnti RAT loading chain (RevivalStone)

webshell China Chopper / Behinder (IceScorpion) — initial post-exploitation webshell deployment

hunt query Unsigned dropper + kernel driver signed with gaming/software company certs — ApcHelper-style deployment

certificate Code-signing certs from gaming/software companies predating the organization's known compromise window — red flag for stolen cert reuse

Mitigation & Defense

Defending against the Winnti network requires controls at both the software supply chain level and the internal network level. Standard perimeter defenses are insufficient — the group's supply chain entry vectors are specifically designed to deliver malware inside the perimeter pre-authenticated.

Software supply chain verification: Implement sub-resource integrity checks and hash verification for all software updates before deployment. Treat software update channels as untrusted until each update is verified against an out-of-band hash or signing policy. For enterprise software procurement, require vendors to document their build pipeline security as a procurement requirement.
Code-signing certificate monitoring: Monitor your organization's code-signing certificates for use in signing binaries that your organization did not produce. Enroll certificates in CT (Certificate Transparency) logs and alert on unexpected usage. Revoke certificates immediately if a build environment is suspected of compromise.
CLFS anomaly detection: Alert on CLFS log file access by non-Windows processes. Winnti's STASHLOG technique of hiding payloads in CLFS log files is detectable via API call monitoring — specifically CLFS API functions invoked by unexpected processes. Endpoint detection rules should flag process access to CLFS log files outside of Windows Update and System Restore contexts.
Microsoft Graph API monitoring: Monitor for Microsoft Graph API authentication tokens issued to processes that are not legitimate Microsoft 365 applications or approved enterprise tooling. CUNNINGPIGEON's C2 channel via Graph API is detectable by correlating OAuth token issuance events with the processes requesting them.
Kernel driver integrity monitoring: Enable HVCI (Hypervisor-Protected Code Integrity) and Windows Defender Credential Guard. Monitor for kernel driver installations outside of software update contexts. Alert on driver loading signed by certificates from companies in gaming, multimedia, or software sectors — a behavioral pattern consistent with stolen certificate reuse.
MSP and shared account risk reduction: The RevivalStone campaign propagated through a managed service provider using a shared account. Audit and restrict shared credential usage across MSP boundaries. Ensure each client environment has dedicated, segmented credentials that cannot be used to pivot across the MSP's other clients.
Threat hunting for long-duration persistence: Winnti campaigns are designed to persist undetected for months to years. Standard alert-driven incident response will not detect them. Implement proactive threat hunting programs specifically targeting CLFS payload hiding, kernel-mode rootkit indicators, and covert TCPIP channel creation — the techniques documented in Operation CuckooBees that enabled three years of undetected presence.
ERP and build system network segmentation: RevivalStone entered via SQL injection in an ERP system. Build orchestration servers are priority lateral movement targets. Both should be on isolated network segments with strict outbound allow-listing and no direct internet access. Inbound connections to ERP systems from external IPs should be proxied through web application firewalls with SQL injection detection enabled.

analyst note

The Winnti designation's complexity — a shared malware family, a set of TTPs, and multiple distinct contractor teams — reflects the structure of Chinese intelligence cyber operations more broadly. The contractor model, in which technically capable private-sector security firms accept tasking from the MSS or PLA while also conducting independent financially motivated operations, is not unique to Winnti. The I-Soon leak in February 2024 exposed this model at scale: hundreds of government contracts, contractor teams, and tooling shared across multiple ostensibly separate APT clusters. TreadStone's appearance in both the RevivalStone campaign and the I-Soon leak confirms that Winnti tooling circulates within this broader contractor ecosystem. Organizations should treat the "Winnti" designation as representing persistent, well-resourced Chinese state-directed intrusion capability — with the understanding that the specific team and toolkit may vary while the strategic objectives remain consistent with CCP policy priorities.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile