{ "id": "43b4e31b-9070-4149-87db-171ca13c08e5", "created_at": "2026-04-06T00:19:25.165027Z", "updated_at": "2026-04-10T03:32:21.257465Z", "deleted_at": null, "sha1_hash": "2c5dab1fd7db17ec2685922a42807cc3cffd9328", "title": "Winnti Group targeting universities in Hong Kong", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 542923, "plain_text": "Winnti Group targeting universities in Hong Kong\r\nBy Mathieu Tartare\r\nArchived: 2026-04-05 19:07:28 UTC\r\nIn November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities.\r\nWe found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new\r\nlauncher and embedding numerous modules. The Winnti malware was also found at these universities a few\r\nweeks prior to ShadowPad.\r\nThe Winnti Group, active since at least 2012, is responsible for for high-profile supply-chain attacks against the\r\nvideo game and software industries leading to the distribution of trojanized software (such as CCleaner, ASUS\r\nLiveUpdate and multiple video games) that is then used to compromise more victims. It is also known for having\r\ncompromised various targets in the healthcare and education sectors.\r\nESET researchers recently published a white paper updating our understanding of the arsenal of the Winnti Group,\r\nfollowing a blog post documenting a supply-chain attack targeting the videogame industry in Asia. Additionally,\r\nwe published a blog post on a new backdoor named skip-2.0 that targets Microsoft SQL Server.\r\nThis article focuses on the technical details of this new ShadowPad variant.\r\nAbout the “Winnti Group” naming:\r\nWe have chosen to keep the name “Winnti Group” since it’s the name first used to identify it, in 2013, by\r\nKaspersky. Since Winnti is also a malware family, we always write \"Winnti Group\" when we refer to the\r\nmalefactors behind the attacks. Since 2013, it has been demonstrated that Winnti is only one of the many malware\r\nfamilies used by the Winnti Group.\r\nShadowPad found at several Hong Kong universities\r\nIn November 2019, ESET's machine-learning engine, Augur, detected a malicious and unique sample present on\r\nmultiple computers belonging to two Hong Kong universities where the Winnti malware had already been found\r\nat the end of October. The suspicious sample detected by Augur is actually a new 32-bit ShadowPad launcher.\r\nSamples from both ShadowPad and Winnti found at these universities contain campaign identifiers and C\u0026C\r\nURLs with the names of the universities, which indicates a targeted attack.\r\nIn addition to the two compromised universities, thanks to the C\u0026C URL format used by the attackers we have\r\nreasons to think that at least three additional Hong Kong universities may have been compromised using these\r\nsame ShadowPad and Winnti variants.\r\nThis campaign of the Winnti Group against Hong Kong universities was taking place in the context of Hong Kong\r\nfacing civic protests that started in June 2019 triggered by an extradition bill. Even though the bill was withdrawn\r\nin October 2019, protests continued, demanding full democracy and investigation of the Hong Kong police. These\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 1 of 10\n\nprotests gathered hundreds of thousands of people in the streets with large support from students of Hong Kong\r\nuniversities, leading to multiple university campus occupations by the protesters.\r\nWe have contacted the compromised universities and provided the necessary information and assistance to\r\nremediate the compromise.\r\nUpdated launcher\r\nUnlike previous ShadowPad variants documented in our white paper on the arsenal of the Winnti Group, this\r\nlauncher is not obfuscated using VMProtect. Furthermore, the encrypted payload is neither embedded in the\r\noverlay nor located in a COM1:NULL.dat alternate data stream. And the usual RC5 encryption with a key derived\r\nfrom the volume ID of the system drive of the victim machine (as seen in the PortReuse backdoor, skip-2.0 and\r\nsome ShadowPad variants) is not present either. In this case, the launcher is much simpler.\r\nDLL side-loading\r\nThe launcher is a 32-bit DLL named hpqhvsei.dll, which is the name of a legitimate DLL loaded by hpqhvind.exe.\r\nThis executable is from HP and is usually installed with their printing and scanning software called “HP Digital\r\nImaging”. In this case the legitimate hpqhvind.exe was dropped by the attackers, along with their malicious\r\nhpqhvsei.dll, in C:\\Windows\\Temp.\r\nAlthough we do not have the component that dropped and executed this launcher, the presence of these files leads\r\nus to think that the initial execution of this launcher is done through DLL side-loading.\r\nWhen the malicious DLL is loaded at hpqhvind.exe startup, its DLLMain function is called that will check its\r\nparent process for the following sequence of bytes at offset 0x10BA:\r\n85 C0 ; test eax, eax\r\n0F 84 ; jz\r\nIn the case where the parent process is hpqhvind.exe, this sequence of bytes is present at this exact location and\r\nthe malicious DLL will proceed to patch the parent process in memory. It replaces the original instructions at\r\n0x10BA with an unconditional jump (jmp – 0xE9) to the address of the function from hpqhvsei.dll that decrypts\r\nand executes the encrypted payload embedded in the launcher.\r\nThe decompiled function responsible for patching the parent process is shown in Figure 1. In case hpqhvsei.dll is\r\nloaded by a different process than hpqhvind.exe, the malicious code will not be decrypted and executed.\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 2 of 10\n\nFigure 1. Decompiled function responsible for patching the parent process\r\nThe difference between the original and patched hpqhvind.exe is shown in Figure 2.\r\nFigure 2. Difference between original (left) and patched (right) hpqhvind.exe\r\nThe part of the code that is patched is located at the very beginning of the main function of hpqhvind.exe. As we\r\ncan see in Figure 2, the patched code is located right after the load of hpqhvsei.dll. This means that the function\r\nresponsible for decrypting and executing the payload is executed directly after the load of the malicious DLL.\r\nPayload decryption\r\nThe encrypted payload is located in the .rdata section of hpqhvsei.dll and the decryption algorithm is an XOR loop\r\nwhere the XOR key is updated at each iteration, as shown in Figure 3.\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 3 of 10\n\nFigure 3. Pseudocode of the payload decryption loop\r\nThe decrypted payload is the usual shellcode responsible for ShadowPad initialization (obfuscated using fake\r\nconditional jumps to hinder disassembly).\r\nPersistence\r\nAfter having been decrypted, ShadowPad's shellcode is executed. It will first achieve persistence on the system by\r\nwriting the in-memory patched parent process to disk to a path specified in the configuration string pool. In the\r\ncase we examined, the path was C:\\ProgramData\\DRM\\CLR\\CLR.exe. It then creates a service named\r\nclr_optimization_v4.0.30229_32, which is responsible for executing CLR.exe. To avoid suspicion, this service\r\nname, as well as the executable name, were chosen to look similar to the name of a Microsoft .NET optimization\r\nService.\r\nThe full staging process is summarized in Figure 4. The numbering on each arrow corresponds to the\r\nchronological sequence of events.\r\nFigure 4. ShadowPad staging process\r\nModules\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 4 of 10\n\nShadowPad is a multimodular backdoor where the modules are referenced from the Root module with a circular\r\nlist from which one can extract the module address, a UNIX timestamp (probably embedded automatically during\r\nthe module’s compilation process) and a module identifier. From the module itself we can also extract the name\r\nthe developer gave to the module. This version embeds the 17 modules listed in the following table:\r\nTable 1. Modules used with this ShadowPad version\r\nID Name Timestamp Description\r\n100 Root\r\nThu 24 Oct 2019 12:08:27 PM\r\nUTC\r\nInitial shellcode\r\n101 Plugins\r\nThu 24 Oct 2019 12:07:02 PM\r\nUTC\r\nProvides API for the other modules; loads\r\nmodules  \r\n102 Config\r\nThu 24 Oct 2019 12:07:09 PM\r\nUTC\r\nHandles encrypted configuration string pool\r\n103 Install\r\nThu 24 Oct 2019 12:07:46 PM\r\nUTC\r\nAchieves persistence\r\n104 Online\r\nThu 24 Oct 2019 12:07:17 PM\r\nUTC\r\nOverall communications with the C\u0026C server\r\n106 ImpUser\r\nThu 24 Oct 2019 12:07:24 PM\r\nUTC\r\nUser impersonation via token duplication\r\n200 TCP\r\nThu 24 Oct 2019 12:01:01 PM\r\nUTC\r\nTCP communications\r\n202 HTTPS\r\nThu 24 Oct 2019 12:01:15 PM\r\nUTC\r\nHTTPS communications\r\n207 Pipe\r\nThu 24 Oct 2019 12:01:35 PM\r\nUTC\r\nHandles named pipes\r\n300 Disk\r\nThu 24 Oct 2019 12:02:29 PM\r\nUTC\r\nFile system operations\r\n301 Process\r\nThu 24 Oct 2019 12:02:36 PM\r\nUTC\r\nProcess handling\r\n302 Servcie\r\nThu 24 Oct 2019 12:02:45 PM\r\nUTC\r\nService handling\r\n303 Register\r\nThu 24 Oct 2019 12:02:52 PM\r\nUTC\r\nRegistry operations\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 5 of 10\n\nID Name Timestamp Description\r\n304 Shell\r\nThu 24 Oct 2019 12:03:00 PM\r\nUTC\r\nCommand line operations\r\n306 Keylogger\r\nThu 24 Oct 2019 12:03:16 PM\r\nUTC\r\nKeylogging to file system\r\n307 Screen\r\nThu 24 Oct 2019 12:03:25 PM\r\nUTC\r\nScreenshot capture\r\n317 RecentFiles\r\nThu 24 Oct 2019 12:04:44 PM\r\nUTC\r\nLists recently accessed files\r\nThese modules, except for RecentFiles, have already been mentioned by Kaspersky and Avast. Notice the\r\n“Servcie” typo.\r\nAs usual, all the module timestamps are spread over a short time range, which could suggest the use of a build\r\nframework to compile these modules. This also suggests that these modules were built a few hours before the\r\nlauncher itself, whose compilation timestamp is Thu Oct 24 14:10:32 2019. Since this compilation timestamp\r\ndates back two weeks before this campaign, it’s likely that it hasn’t been tampered with by the attackers.\r\nOne might also note that the number of modules embedded in this variant is much higher (17) than the number of\r\nmodules embedded in the variants previously documented in our white paper (8 to 10 modules).\r\nBy default, every keystroke is recorded using the Keylogger module (306, previously documented by Avast) and\r\nsaved to disk in the file %APPDATA%\\PAGM\\OEY\\XWWEYG\\WAOUE.\r\nThe log file is encrypted using the same algorithm as the one used to encrypt static strings from the module. Using\r\nthis module by default indicates that the attackers are interested in stealing information from the victims’\r\nmachines. In contrast, the variants we described in our white paper didn’t even have that module embedded.\r\nConfiguration\r\nAs with previous ShadowPad variants, the Config module (102) contains an encrypted string pool that can be\r\naccessed from any other module. The string pool is never stored entirely decrypted in memory; the field of interest\r\nis decrypted when needed and then immediately freed (thus quickly unavailable). The configuration size is 2180\r\nbytes and the encrypted strings are located at offset 0x84. The algorithm used to decrypt the strings is the same as\r\nthe one used to decrypt the static strings of the module. The decrypted content of the string pool is the following:\r\n0x84: 2019/11/7 16:28:36\r\n0x99: CAMPAIGN_ID_REDACTED\r\n0xa1: %ALLUSERSPROFILE%\\DRM\\CLR\\CLR.exe\r\n0xc5: clr_optimization_v4.0.30229_32\r\noxe6: clr_optimization_v4.0.30229_32\r\n0x107: clr_optimization_v4.0.30229_32\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 6 of 10\n\n0x128: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n0x158: CLR\r\n0x15e: %ProgramFiles%\\Windows Media Player\\wmplayer.exe\r\n0x197: %windir%\\system32\\svchost.exe\r\n0x1b7: TCP://b[redacted].dnslookup.services:443\r\n0x1db: UDP://b[redacted].dnslookup.services:443\r\n0x202: SOCKS4\r\n0x21e: SOCKS5\r\nThe campaign ID is located at offset 0x99 and is the name of the targeted university. Having a campaign ID\r\nrelated to the target is quite common in the case of ShadowPad and Winnti.\r\nInterestingly, the timestamp present in this config at offset 0x84 is later than the modules’ timestamps and the\r\nloader compilation timestamp. This suggests that this config is added manually to the sample after having been\r\nbuilt. Even though it’s probably coincidental, the date within the config corresponds to the date of the first\r\ndetection of this sample at the corresponding university.\r\nNetwork Communications\r\nOnce installed on the system, ShadowPad starts a hidden and suspended Microsoft Windows Media Player\r\nwmplayer.exe process and injects itself into that process. The path to wmplayer.exe is provided by the Config\r\nmodule.\r\nOnce ShadowPad is injected into wmplayer.exe, the Online module will contact the C\u0026C server using the URL\r\nspecified in the configuration. It will then start listening for connections on port 13567 after having updated\r\nfirewall rules accordingly:\r\nRegistry key:\r\nHKLM\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{816381AB-1400-45E5-B560-B8E11C5988CF}\r\nValue:\r\nv2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|LPort=13567|Name=Network Discovery\r\n(TCP)|\r\nThe communication is then handled by the TCP module (200), which was previously documented by Kaspersky.\r\nWinnti malware was there as well\r\nIn addition to ShadowPad, the Winnti malware was found on some machines at these two universities at the end of\r\nOctober (i.e. two weeks before ShadowPad) in the file C:\\Windows\\System32\\oci.dll and is detected by ESET\r\nproducts as Win64/Winnti.CA.\r\nThe Winnti malware usually contains a configuration specifying a campaign ID and a C\u0026C URL. On all machines\r\nthe campaign ID matches the name of the targeted university and the C\u0026C URLs are:\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 7 of 10\n\nw[redacted].livehost.live:443\r\nw[redacted].dnslookup.services:443\r\nwhere the redacted part corresponds to the name of the targeted university.\r\nC\u0026C URL format\r\nOne can observe that the C\u0026C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type]\r\n[target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the\r\nWinnti malware or “b” in the case of ShadowPad.\r\nFrom this format, we were able to find several C\u0026C URLs, including three additional Hong Kong universities’\r\nnames. The campaign identifiers found in the samples we’ve analyzed match the subdomain part of the C\u0026C\r\nserver, showing that these samples were really targeted against these universities.\r\nConclusion\r\nThe Winnti Group is still actively using one of its flagship backdoors, ShadowPad, this time against Hong Kong\r\nuniversities. In this campaign, the VMProtected launcher used with ShadowPad, as well as with the PortReuse\r\nbackdoor and skip-2.0, was replaced by a simpler one. That these samples, in addition to having been found at\r\nthese universities, contain campaign IDs matching the universities’ names and use C\u0026C URLs containing the\r\nuniversities’ names are good indications that this campaign is highly targeted.\r\nWe will continue to monitor new activities of the Winnti Group and will publish relevant information on our blog.\r\nFor any inquiries, contact us at threatintel@eset.com. The IoCs are also available in our GitHub repository.\r\nIndicators of Compromise (IoCs)\r\nESET detection names\r\nWin32/Shadowpad.C trojan\r\nWin64/Winnti.CA trojan\r\nFile names\r\n%ALLUSERSPROFILE%\\DRM\\CLR\\hpqhvsei.dll\r\n%ALLUSERSPROFILE%\\DRM\\CLR\\CLR.exe\r\nC:\\windows\\temp\\hpqhvsei.dll\r\nC:\\windows\\temp\\hpqhvind.exe\r\n%ALLUSERSPROFILE%\\DRM\\CLR\\hpqhvsei.dll\r\n%SYSTEM32%\\oci.dll\r\n%APPDATA%\\PAGM\\OEY\\XWWEYG\\WAOUE\r\nService display name\r\nclr_optimization_v4.0.30229_32\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 8 of 10\n\nC\u0026C servers\r\nb[org_name].dnslookup[.]services:443\r\nw[org_name].livehost[.]live:443\r\nw[org_name].dnslookup[.]services:443\r\nShadowPad launcher\r\nSimilar sample to avoid disclosing targeted universities.\r\n693f0bd265e7a68b5b98f411ecf1cd3fed3c84af\r\nMITRE ATT\u0026CK techniques\r\nTactic ID    Name Description\r\nPersistence T1050 New Service\r\nShadowPad persists as a service called\r\nclr_optimization_v4.0.30229_32.\r\nDefense\r\nEvasion\r\nT1073 DLL Side-Loading\r\nShadowPad’s launcher is loaded by a legitimate\r\nexecutable via DLL side-loading.\r\nT1055 Process Injection ShadowPad is injected into a wmplayer.exe process.\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nShadowPad launcher uses XOR to decrypt the payload.\r\nShadowPad uses a custom algorithm to decrypt strings\r\nand configuration.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nShadowPad shellcode is XOR-encoded and uses fake\r\nconditional jumps to hinder disassembly. ShadowPad’s\r\nstrings and configuration are encrypted. It also uses\r\nAPI hashing.\r\nT1143 Hidden Window\r\nShadowPad is injected into a wmplayer.exe process\r\nstarted in a hidden window.\r\nDiscovery\r\nT1010\r\nApplication Window\r\nDiscovery\r\nShadowPad’s keylogging module lists application\r\nwindows.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nShadowPad’s RecentFiles module lists files recently\r\naccessed.\r\nCommand\r\nand Control\r\nT1071\r\nStandard Application\r\nLayer Protocol\r\nShadowPad can use HTTP and HTTPS for C\u0026C\r\ncommunications.\r\nT1043 Commonly Used Port ShadowPad uses TCP:443 and UDP:443.\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 9 of 10\n\nTactic ID    Name Description\r\nT1065\r\nUncommonly Used\r\nPort\r\nShadowPad listens on port 13567.\r\nT1095\r\nStandard Non-Application Layer\r\nProtocol\r\nShadowPad can use UDP and TCP for C\u0026C\r\ncommunications.\r\nT1024\r\nCustom Cryptographic\r\nProtocol\r\nShadowPad uses its own cryptographic protocol for\r\nC\u0026C communications.\r\nCollection\r\nT1056 Input Capture ShadowPad has a keylogging module.\r\nT1113 Screen Capture ShadowPad has a screenshot module.\r\nExfiltration T1022 Data Encrypted\r\nKeystrokes recorded by the keylogging module are\r\nstored encrypted on disk.\r\nSource: https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/" ], "report_names": [ "winnti-group-targeting-universities-hong-kong" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434765, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2c5dab1fd7db17ec2685922a42807cc3cffd9328.pdf", "text": "https://archive.orkl.eu/2c5dab1fd7db17ec2685922a42807cc3cffd9328.txt", "img": "https://archive.orkl.eu/2c5dab1fd7db17ec2685922a42807cc3cffd9328.jpg" } }