{
	"id": "d4922cc9-7503-4fad-b938-a2eccc2fd056",
	"created_at": "2026-04-06T00:19:08.827246Z",
	"updated_at": "2026-04-10T03:32:21.29961Z",
	"deleted_at": null,
	"sha1_hash": "0c9d4d28544bc5576d7adcbaedd0da1e18d7f4be",
	"title": "GitHub - TKCERT/winnti-detector: Network detector for Winnti malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56236,
	"plain_text": "GitHub - TKCERT/winnti-detector: Network detector for Winnti\r\nmalware\r\nBy sruester\r\nArchived: 2026-04-05 13:42:00 UTC\r\nwinnti-detector detects Winnti (as of 2016/2017) communication patterns in network traffic.\r\nIt can read PCAPs or listen on a live interface.\r\nWinnti\r\nWinnti is a malware that is used by some APT groups.\r\nIt has been used since at least 2013 and has evolved over time. You can find some information here\r\nhttps://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf\r\nhttps://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf\r\nhttps://hitcon.org/2016/pacific/0composition/pdf/1201/1201%20R2%201610%20winnti%20polymorphism.pdf\r\nHandshake\r\nThe driver component of Winnti (aka \"NdisReroute\") is able to reroute network traffic from ports that are already\r\noccupied by legit applications to the malware's userspace component.\r\nThe first packet of a TCP stream signals the driver that the stream shall be rerouted. I call such a packet a \"Winnti\r\nHELO\". It is exactly 16 bytes long and the bytes match the following relation:\r\nWinnti handshake Example:\r\n dw0 dw1 dw2 dw3\r\n5B 44 B4 91 xx xx xx xx 31 18 30 59 [84 C8] {6A 5C}\r\n5B 44 B4 91 == 31 18 30 59 ^ {6A 5C} [84 C8]\r\ndw0 calculated from dw2 and dw3\r\ndw1 random but not zero. Only seen timestamps in here but any value works.\r\ndw2 random but not zero\r\ndw3 random but not zero\r\nInstallation\r\nhttps://github.com/TKCERT/winnti-detector\r\nPage 1 of 2\n\nwinnti-detector uses libnids which you can install with\r\n# git clone https://github.com/MITRECND/libnids.git\r\n# cd libnids\r\n# ./configure --enable-shared \u0026\u0026 make \u0026\u0026 sudo make install\r\n# sudo ldconfig -i\r\nYou can then compile and run winnti-detector\r\n# make\r\n# ./wntidect\r\nwntidect version 1.6 using libnids 1.25 -- Stefan Ruester\r\nUsage: ./wntidect \u003c-i device|-f pcapfile\u003e [-l]\r\n -l Log to syslog (local7.alert 'nsm')\r\nOutput\r\nstdout\r\n$ wntidect -f finding.pcap\r\nwntidect version 1.6 using libnids 1.25 -- Stefan Ruester\r\n[i] Reading PCAP file eth0_capture.pcap\r\n[!] 2018-01-23 09:12:50.709193Z Found WINNTI session setup: (TCP) 10.123.12.123:59308 -\u003e 10.34.34.34:443\r\n[!] 2018-03-06 00:28:46.525901Z Found WINNTI session setup: (UDP) 10.123.12.123:58762 -\u003e 10.34.34.35:443\r\nsyslog\r\nAs the usage text suggests, you can use the parameter -l to write syslog entries whenever a match is found. The\r\nprogram always also outputs findings on stdout.\r\nSource: https://github.com/TKCERT/winnti-detector\r\nhttps://github.com/TKCERT/winnti-detector\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://github.com/TKCERT/winnti-detector"
	],
	"report_names": [
		"winnti-detector"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434748,
	"ts_updated_at": 1775791941,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c9d4d28544bc5576d7adcbaedd0da1e18d7f4be.pdf",
		"text": "https://archive.orkl.eu/0c9d4d28544bc5576d7adcbaedd0da1e18d7f4be.txt",
		"img": "https://archive.orkl.eu/0c9d4d28544bc5576d7adcbaedd0da1e18d7f4be.jpg"
	}
}