Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group. (Citation: 401 TRG Winnti Umbrella May 2018)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| macOS, Windows | defense-evasion | Code Signing | Winnti Group used stolen certificates to sign its malware. | Binary file metadata |
| Linux, macOS, Windows | defense-evasion | Rootkit | Winnti Group used a rootkit to modify typical server functionality. | BIOS, MBR, System calls |
| Linux, macOS, Windows | discovery | Process Discovery | Winnti Group looked for a specific process running on infected servers. | Process monitoring, Process command-line parameters |