Skip to content

G0044 Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.354 Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.2

Item Value
ID G0044
Associated Names Blackfly
Version 1.2
Created 31 May 2017
Last Modified 16 April 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Blackfly 1

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Winnti Group has registered domains for C2 that mimicked sites of their intended targets.3
enterprise T1083 File and Directory Discovery Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.3
enterprise T1105 Ingress Tool Transfer Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.3
enterprise T1057 Process Discovery Winnti Group looked for a specific process running on infected servers.3
enterprise T1014 Rootkit Winnti Group used a rootkit to modify typical server functionality.3
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Winnti Group used stolen certificates to sign its malware.3

Software

ID Name References Techniques
S0501 PipeMon 6 Bypass User Account Control:Abuse Elevation Control Mechanism Create Process with Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Print Processors:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Fallback Channels Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Non-Application Layer Protocol Encrypted/Encoded File:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Shared Modules Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Time Discovery
S0013 PlugX 3 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Non-Standard Port Binary Padding:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Reflective Code Loading Replication Through Removable Media Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery MSBuild:Trusted Developer Utilities Proxy Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0141 Winnti for Windows 35 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Environmental Keying:Execution Guardrails File and Directory Discovery File Deletion:Indicator Removal Timestomp:Indicator Removal Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Native API Non-Application Layer Protocol Compression:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Process Discovery External Proxy:Proxy Internal Proxy:Proxy Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services

References

  1. DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. 

  2. Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018. 

  3. Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. 

  4. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  5. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016. 

  6. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.