{ "id": "1a7a4ad3-4b63-43f9-8bc0-e704a84160ea", "created_at": "2026-04-06T00:20:52.662607Z", "updated_at": "2026-04-10T13:12:56.433744Z", "deleted_at": null, "sha1_hash": "24c56b407a7d2b66e7917e6070be14c93ed158f9", "title": "Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 157025, "plain_text": "Operation CuckooBees: Cybereason Uncovers Massive Chinese\r\nIntellectual Property Theft Operation\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 16:11:42 UTC\r\nCybersecurity often focuses on malware campaigns or the latest zero-day exploit. Surveys and reports reveal the\r\naverage cost of a data breach or how much it typically costs to recover from a ransomware attack. Those are the\r\nattacks that make noise and capture attention, though. The attacks that fly under the radar are often more insidious\r\nand much more costly. \r\nResearchers at Cybereason recently discovered such an attack, which was assessed to be the work of Chinese APT\r\nWinnti. Cybereason briefed the US Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) on the\r\ninvestigation into the malicious campaign, which Cybereason researchers dubbed Operation CuckooBees.\r\nFor years, the campaign had operated undetected, siphoning intellectual property and sensitive data. The team\r\npublished two reports–one that examines the tactics and techniques of the overall campaign and another that\r\nprovides a more detailed analysis of the malware and exploits used. \r\nhttps://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation\r\nPage 1 of 6\n\nWinnti Kill Chain as observed in Operation CuckooBees\r\nOperation CuckooBees\r\nIn 2021, the Cybereason Nocturnus Incident Response Team was engaged to investigate multiple intrusions\r\ntargeting technology and manufacturing companies in North America, Europe, and Asia. They found an elusive\r\nand sophisticated cyber espionage campaign operating undetected since at least 2019. \r\nWith years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group\r\nmanaged to exfiltrate hundreds of gigabytes of information. The attackers targeted intellectual property developed\r\nby the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related\r\nproprietary data. \r\nIn addition, the attackers collected information that could be used for future cyberattacks, such as details about the\r\ntarget company’s business units, network architecture, user accounts and credentials, employee emails, and\r\ncustomer data. \r\nCybereason researchers attribute the intrusions and Operation CuckooBees with a moderate-to-high degree of\r\nconfidence to the Winnti APT group. Winnti, also known as APT 41, BARIUM, and Blackfly, is a Chinese state-sponsored APT group known for its stealth, sophistication, and focus on stealing technology secrets. \r\nhttps://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation\r\nPage 2 of 6\n\nKey Findings\r\nAttribution to the Winnti APT Group: based on the analysis of the forensic artifacts, Cybereason\r\nestimates with medium-high confidence that the perpetrators of the attack are linked to the notorious\r\nWinnti APT group. This group has existed since at least 2010 and is believed to be operating on behalf of\r\nChinese state interests and specializes in cyberespionage and intellectual property theft. \r\nDiscovery of New Malware in the Winnti Arsenal: the reports expose previously undocumented\r\nmalware strain called DEPLOYLOG used by the Winnti APT group and highlight new versions of known\r\nWinnti malware, including Spyder Loader, PRIVATELOG, and WINNKIT. \r\nRarely Seen Abuse of the Windows CLFS Feature: the attackers leveraged the Windows CLFS\r\nmechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade\r\ndetection by traditional security products.\r\nIntricate and Interdependent Payload Delivery: the reports include an analysis of the complex infection\r\nchain that led to the deployment of the WINNKIT rootkit composed of multiple interdependent\r\ncomponents. The attackers implemented a delicate “house of cards” approach, meaning that each\r\ncomponent depends on the others to function properly, making it very difficult to analyze each component\r\nseparately. \r\nThe Winnti Malware Arsenal: the reports include an analysis of: \r\nSpyder: A sophisticated modular backdoor.\r\nSTASHLOG: The initial deployment tool “stashing” payloads in Windows CLFS.\r\nSPARKLOG: Extracts and deploys PRIVATELOG to gain privilege escalation and achieve\r\npersistence.\r\nPRIVATELOG: Extracts and deploys DEPLOYLOG.\r\nDEPLOYLOG: Deploys the WINNKIT Rootkit and serves as a userland agent \r\nWINNKIT: The Winnti Kernel-level Rootkit.\r\nMulti-year Cyber Espionage Intrusions: The Cybereason IR team investigated a sophisticated and\r\nelusive cyber espionage operation that has remained undetected since at least 2019 with the goal of stealing\r\nsensitive proprietary information from technology and manufacturing companies mainly in East Asia,\r\nWestern Europe, and North America. \r\nNewly Discovered Malware and Multi-Stage Infection Chain: the research examines both known and\r\npreviously undocumented Winnti malware, which included digitally signed kernel-level rootkits as well as\r\nan elaborate multi-stage infection chain that enabled the operation to remain undetected since at least 2019.\r\nThe Winnti Playbook: This research offers a unique glimpse into the Winnti intrusion playbook, detailing\r\nthe most frequently used tactics, as well as some lesser-known evasive techniques that were observed\r\nduring the investigation. \r\nhttps://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation\r\nPage 3 of 6\n\nWinnti Group\r\nThe Winnti Group is one of the most prolific and successful threat actors in existence. Winnti has a history of\r\nattacks and campaigns supporting Chinese state-sponsored espionage activity and financially-motivated attacks. \r\nWinnti is an exceptionally capable adversary. One report states, “The group’s distinct use of supply chain\r\ncompromises to target select individuals, consistent use of compromised digital certificates, and deployment of\r\nbootkits (rare among APT operators), highlight a creative and well-resourced adversary.”\r\nThe Cybereason research agrees with that assessment. Operation CuckooBees offers a glimpse into the evolving\r\nWinnti intrusion playbook. Along with well-known and frequently used attacks, Cybereason researchers also\r\nwitnessed unique evasive techniques.\r\nWinnti leveraged both known and previously undocumented malware techniques, including digitally signed\r\nkernel-level rootkits. The threat employed an elaborate, multi-stage infection chain that was critical to enabling\r\nthe group to remain undetected for so long. \r\nIntellectual Property Under Siege\r\nIntellectual property rights are essential to the global economy. Patents, copyrights, and trademarks are respected\r\nand enforced around the world because nations recognize that innovative concepts and the effort that goes into\r\nresearch and development and bringing them to market deserves to be rewarded.\r\nIt undermines the economy if other companies or nations steal intellectual property and force the originator to\r\ncompete against their own innovation—often undercutting the price because they have no investment in research\r\nand development from which to recover costs.\r\nIntellectual property is also a prime target for both corporate and nation-state espionage. Despite the agreements\r\nand protections in place, those with more ambition than ethics prefer to invest effort and resources in stealing the\r\nintellectual property of others rather than striving to develop their own innovations. \r\nChina and entities aligned with Chinese interests frequently engage in intellectual property theft. In May of 2021,\r\nthe US charged four Chinese nationals for their involvement in a global computer intrusion campaign targeting\r\nintellectual property and confidential business information. The group employed fake online profiles and spear\r\nphishing, along with hijacked credentials and sophisticated malware to compromise networks and exfiltrate data. \r\nSilent, But Costly\r\nIt is hard to determine the exact economic impact of intellectual property theft. There are a variety of factors\r\ninvolved. Data is the currency of business today, and the line between cyber espionage and nation-state espionage\r\nhas blurred.\r\nThere are a variety of ways that stolen data might be used that could have significant consequences. Suffice it to\r\nsay that losing gigabytes of sensitive and proprietary intellectual property is a massive hit to the bottom line and\r\nerases any competitive advantage in the marketplace. \r\nhttps://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation\r\nPage 4 of 6\n\nIt is also hard to estimate the exact number of companies affected by Operation CuckooBees due to the\r\ncomplexity, stealth, and sophistication of the attacks. Winnti is one of the most industrious groups operating on\r\nbehalf of Chinese state-aligned interests. \r\nOver the years, there have been multiple reports and US Department of Justice (DOJ) indictments tying Winnti to\r\nlarge-scale IP theft operations. Cybereason researchers believe that dozens of other companies were potentially\r\naffected by this or similar campaigns carried out by Winnti. \r\nCyber espionage doesn’t usually generate the same degree of panic or media attention as other cyberattacks, but\r\nthe lack of attention doesn’t make it any less dangerous. A malicious campaign that silently steals intellectual\r\nproperty for years is exceptionally costly and may have repercussions for years to come. \r\nThe Cybereason Nocturnus Team has published two reports related to Operation CuckooBees. For more on this\r\ncampaign and the tactics, techniques, and processes used, check out Operation CuckooBees: Deep-Dive into\r\nStealthy Winnti Techniques. For a detailed look at the malware toolkit employed in Operation CuckooBees, check\r\nout Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive. \r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation\r\nPage 5 of 6\n\nSource: https://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation" ], "report_names": [ "operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434852, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/24c56b407a7d2b66e7917e6070be14c93ed158f9.pdf", "text": "https://archive.orkl.eu/24c56b407a7d2b66e7917e6070be14c93ed158f9.txt", "img": "https://archive.orkl.eu/24c56b407a7d2b66e7917e6070be14c93ed158f9.jpg" } }