{
	"id": "e0477222-6e50-444d-a33a-26ecb2b36e47",
	"created_at": "2026-05-03T03:09:13.169016Z",
	"updated_at": "2026-05-03T03:09:28.976832Z",
	"deleted_at": null,
	"sha1_hash": "0d7eb14fdb39b733902394fb88190ca5686f2e9f",
	"title": "Winnti: More than just Windows and Gates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1855434,
	"plain_text": "Winnti: More than just Windows and Gates\r\nBy Chronicle\r\nPublished: 2019-05-21 · Archived: 2026-05-03 02:11:01 UTC\r\n7 min read\r\nMay 15, 2019\r\nThe Winnti malware family was first reported in 2013 by Kaspersky Lab¹. Since then, threat actors leveraging\r\nWinnti malware have victimized a diverse set of targets for varied motivations. While the name ‘Winnti’ in public\r\nreporting was previously used to signify a single actor, pronounced divergence in targeting and tradecraft between\r\ncampaigns has led industry consensus to break up the tracking of the continued use of the Winnti malware under\r\ndifferent actor clusters. The underlying hypothesis² is that the malware itself may be shared (or sold) across a\r\nsmall group of actors.\r\nIn April 2019, reports³ emerged of an intrusion involving Winnti⁴ malware at a German Pharmaceutical company.\r\nFollowing these reports, Chronicle researchers doubled down on efforts to try to unravel the various campaigns\r\nwhere Winnti was leveraged. Analysis of these larger convoluted clusters is ongoing. While reviewing a 2015\r\nreport⁵ of a Winnti intrusion at a Vietnamese gaming company, we identified a small cluster of Winnti⁶ samples\r\ndesigned specifically for Linux⁷. The following is a technical analysis of this variant.\r\nTechnical Analysis\r\nThe Linux version of Winnti is comprised of two files: a main backdoor (libxselinux) and a library\r\n(libxselinux.so) used to hide it’s activity on an infected system.\r\nAs with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with\r\ndistinct functionality⁸. This component is primarily designed to handle communications and the deployment of\r\nmodules directly from the command-and-control servers. During our analysis, we were unable to recover any\r\nactive plugins. However, prior reporting⁹ suggests that the operators commonly deploy plugins for remote\r\ncommand execution, file exfiltration, and socks5 proxying on the infected host. We expect similar functionality to\r\nbe leveraged via additional modules for Linux.\r\n‘libxselinux.so’ — the userland rootkit\r\nPress enter or click to view image in full size\r\nhttps://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nPage 1 of 9\n\nThe library used to hide Winnti’s system activity is a copy of the open-source userland rootkit Azazel¹⁰, with\r\nminor changes. When executed, it will register symbols for multiple commonly used functions, including: open(),\r\nrmdir(), and unlink(), and modify their returns to hide the malware’s operations. Below is a side-by-side\r\ncomparison of the Azazel source code and the relevant function decompilation from ‘libxselinux.so’.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nPage 2 of 9\n\nDistinct changes to Azazel by the Winnti developers include the addition of a function named ‘Decrypt2’, which is\r\nused to decode an embedded configuration similar to the core implant. Unlike standard Azazel which is\r\nconfigured to hide network activity based on port ranges, the Winnti-modified version keeps a list of process\r\nidentifiers and network connections associated with the malware’s activity. This modification likely serves to\r\nsimplify the operator’s sample configuration process by not having to denote specific ports to hide.\r\nStrings within this sample associated with the malware’s operations are encoded using a single-byte XOR\r\nencoding. The following is an example Python function to decode these strings.\r\nPress enter or click to view image in full size\r\nlibxselinux\r\nPress enter or click to view image in full size\r\nhttps://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nPage 3 of 9\n\nWinnti Linux variant’s core functionality is within ‘libxselinux’. Upon execution, an embedded configuration is\r\ndecoded from the data section using a simple XOR cipher. An example Python function to decode this\r\nconfiguration is shown below:\r\nPress enter or click to view image in full size\r\nThe decoded configuration is similar in structure to the version Kaspersky classifies as Winnti 2.0¹¹, as well as\r\nsamples in the 2015 Novetta report¹². Embedded in this sample’s configuration three command-and-control server\r\naddresses and two additional strings we believe to be campaign designators. Winnti ver. 1, these values were\r\ndesignated as ‘tag’ and ‘group’. A sample decoded configuration is shown below:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nPage 4 of 9\n\nWinnti Linux samples identified so far fall under three distinct campaign designators:\r\nFor context, embedded Winnti campaign designators have ranged from target names, geographic areas, industry,\r\nand profanity.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nPage 5 of 9\n\nInteractions with control servers\r\nWinnti malware handles outbound communications using multiple protocols including: ICMP, HTTP, as well as\r\ncustom TCP and UDP protocols. Use of these protocols is thoroughly documented in the Novetta and Kaspersky\r\nreports. While the outbound communication mechanisms are well documented, less attention has been paid to a\r\nfeature of recent versions of Winnti we came across in the Linux variant (as well as Windows) that allows the\r\noperators to initiate a connection directly to an infected host, without requiring a connection to a control server.\r\nThis secondary communication channel may be used by operators when access to the hard-coded control servers is\r\ndisrupted. Additionally, the operators could leverage this feature when infecting internet-facing devices in a\r\ntargeted organization to allow them to reenter a network if evicted from internal hosts. This passive implant\r\napproach to network persistence has been previously observed with threat actors like Project Sauron and the\r\nLamberts.\r\nGet Chronicle’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nInitial technical information about this feature was shared by the Thyssenkrupp CERT in the form of an Nmap¹³\r\nscript¹⁴ that could be used to identify Winnti infections through network scanning. This script identifies infected\r\nhosts by first sending a custom hello packet, immediately followed by an encoded request for host information,\r\nand then parsing the response. The workflow of the script is diagrammed below:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nPage 6 of 9\n\nThe initial request, referred to as the helo/hello request in the Nmap script, is comprised of four DWORDs. The\r\nfirst three are generated by rand() and the fourth is computed based on the first and third. When received by a\r\nWinnti-infected host, it will validate the received packet and listen for a second inbound request containing\r\ntasking. A breakdown of this traffic is shown below.\r\nPress enter or click to view image in full size\r\nThis second request (Encoded Get System Information Request) is encoded using the same method as the custom\r\nTCP protocol used for communication with command-and-control servers, which uses a four-byte XOR encoding.\r\nBefore acting on the request, Winnti will validate the third DWORD contains the magic value 0xABC18CBA\r\nbefore executing tasking.\r\nWhile it may be possible to conduct broad scanning to identify infected systems, the results would likely only be\r\nthe subset that are directly Internet accessible.\r\nConclusion\r\nhttps://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nPage 7 of 9\n\nClusters of Winnti-related activity have become a complex topic in threat intelligence circles, with activity\r\nvaguely attributed to different codenamed threat actors. The threat actors utilizing this toolset have repeatedly\r\ndemonstrated their expertise in compromising Windows-based environments. An expansion into Linux tooling\r\nindicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their\r\nintended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many\r\nenterprises, as is with Penquin Turla and APT28’s Linux XAgent variant. Utilizing a passive listener as a\r\ncommunications channel is characteristic of the Winnti developers’ foresight in needing a failsafe secondary\r\ncommand-and-control mechanisms. Chronicle researchers maintain an active interest in clusters of Winnti activity\r\nand our research is ongoing.\r\nAdditional Indicators\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nPage 8 of 9\n\nYARA\r\n(Click here for source rule text and additional IoCs)\r\nSource: https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nhttps://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"
	],
	"report_names": [
		"winnti-more-than-just-windows-and-gates-e4f03436031a"
	],
	"threat_actors": [],
	"ts_created_at": 1777777753,
	"ts_updated_at": 1777777768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d7eb14fdb39b733902394fb88190ca5686f2e9f.pdf",
		"text": "https://archive.orkl.eu/0d7eb14fdb39b733902394fb88190ca5686f2e9f.txt",
		"img": "https://archive.orkl.eu/0d7eb14fdb39b733902394fb88190ca5686f2e9f.jpg"
	}
}