{ "id": "d7a6be97-d6bb-43ee-aee2-d9aac91c5745", "created_at": "2026-04-06T01:32:10.09419Z", "updated_at": "2026-04-10T03:36:48.046229Z", "deleted_at": null, "sha1_hash": "32343e29daac413e21a72ed25decf3be28f7c0e2", "title": "Winnti is Coming - Evolution after Prosecution@HITCON2021", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 184602, "plain_text": "Winnti is Coming - Evolution after Prosecution@HITCON2021\r\nArchived: 2026-04-06 01:14:32 UTC\r\nSince APT41 was sued by the FBI last year, the group has not disappeared. Instead, they have used more\r\ninnovative and less well noticed techniques to evade detection by security products, such as:\r\n- Avoiding memory detection through dll hollowing technique\r\n- Using DPAPI to encrypt the real payload to make forensics more difficult.\r\n- Abusing the certificate to hide the payload in a signed PE file.\r\n- Using domain fronting techniques to hide the real IP address.\r\n- Using legitimate tools like InstallUtil to execute code and bypass application whitelisting.\r\nIn addition to malware that is known to be used by APT41 , we also found some newly developed malware. There\r\nare two new pieces of listening port malware.We also found a shellcode-based backdoor, Natwalk.\r\nThe group is also more careful in their usage of C2. They use DNS tunnelling extensively as well as Cloudflare\r\nWorker to hide their real C2 IP.\r\nWe have observed that APT41 targeted telecommunications companies, key medical institutions, governments,\r\nand major infrastructures in various countries in 2021.\r\nThe prosecution did not deter them, but instead prompted them to evolve their attack techniques, and make it\r\nharder for researchers to track and detect.\r\nIn this talk we will provide more details about the campaigns of APT41 , including its innovative TTPs, newly\r\ndeveloped malware, lateral movement techniques, and the strategies they used for C2 after they were sued by the\r\nFBI.\r\nWe also research the relation of the subgroups under APT41, like fishmaster and GroupCC.\r\nTranscript\r\n1. Winnti is Coming - Evolution after Prosecution TeamT5\r\n2.\r\n3.\r\n4. Who is Winnti? 4 https://twitter.com/jfslowik/status/1420924040047337474\r\nhttps://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021\r\nPage 1 of 8\n\n5. Winnti? APT41? 5 Ministry of State Security of the People's\r\nRepublic of China(MSS) • Winnti = APT41 ? • APT41 = Chengdu404 ? • Under APT41, it can be divided\r\ninto several groups via different techniques and targets • The targets are very wide. It is suspected that MSS\r\nhas integrated the resources, attack techniques, and tools to make this group looks bigger. APT41 APT10\r\nAPT17 APT… Integration? Fishmaster /TAG-22 GroupCC Amoeba Unknown Group …\r\n6. Target Country Talk in last section 6\r\n7.\r\n8. Compromise Winnti is Coming - Evolution after Prosecution\r\n9.\r\n10. Webshell Access 10\r\n11. Probe plugin 11\r\n12. Webshell Upload 12\r\n13. Catalina Log 13\r\n14.\r\n15.\r\n16. Post-Compromise Winnti is Coming - Evolution after Prosecution\r\n17.\r\n18. Timeline for disseminating the Cobalt Strike 2020.7 2020.11 2021.1 2021.3\r\n2021.4 Chacha20 shellcode or loader(Chatloader) appeared to extract Cobalt strike Beacon Use CDN\r\nservice in Cobalt Strike, especially DNS beacon Use Cloudflare worker to hide real C2 IP Use certificate\r\nbypass and dll hollowing technique in Chatloader Use multiple .NET loaders and misuse InstallUtil to load\r\nCobalt Strike 2021.6 Use funnyswitch to load Cobalt Strike and use early bird code injection technique 18\r\n19.\r\n20. Chatloader ◆ Uses chacha20 algorithm to decrypt the payload ◆\r\nMost of the payload is Cobalt Strike, but we have also seen another backdoor ◆ ETW bypass ◆ Dll\r\nhollowing offset length data 0x0:0xB 0xC config nonce 0xC:0xF 0x4 config crc32 0x10:0x13 0x4\r\nconfig_enc_length 0x14:0x14+config_enc _length config_enc_length ciphertext 0x100:0x120 0x20 config\r\nkey 20\r\n21. length data 0x4 Header 0x4 Check User is SYSTEM 0x4\r\nhttps://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021\r\nPage 2 of 8\n\nMutex trigger 0x4 Delete Loader trigger 0x4 Patch EtwEventWrite trigger 0x4 Process Hollowing trigger\r\n0x4 Injected Process Name Length(x2) InjectedProcess Name Length(x2) InjectedProcess Name 0x4\r\nPayload in Loader 0x4 Payload Name Length(x2) Payload Name Length(x2) Payload Name 0x4 Payload\r\nSize 0x4 Payload FilePointor 0x4 Payload crc32 0xC Payload Nonce length data 0x4 Header 0x4 Check\r\nUser is SYSTEM 0x4 Mutex trigger 0x4 Delete Loader trigger 0x4 Patch EtwEventWrite trigger 0x4\r\nPayload in Loader 0x4 Payload Name Length(x2) Payload Name Length(x2) Payload Name 0x4 Payload\r\nSize 0x4 Payload FilePointor 0x4 Payload crc32 0xC Payload Nonce Header:CB2F29AD\r\nHeader:8BD6488B 21\r\n22. Chatloader config example ====== Decrypt Config ====== Config Nonce (12\r\nbytes) = 0xb5 0x5e 0x14 0x8d 0x46 0xe1 0x2e 0x97 0x5d 0x3d 0x75 0xf1 Config Nonce (base64) =\r\ntV4UjUbhLpddPXXx Config CRC32 = 0xe 0xdc 0xac 0xad Config CRC32 (base64) = DtysrQ==\r\nCiphertext length = 48 Config Key = 0xa2 0x42 0x99 0x5 0x5f 0x1f 0xc 0x14 0xcb 0xdd 0xb 0x1 0xdf\r\n0xa6 0x4c 0x34 0xf5 0xfd 0x3 0x3c 0xa7 0xf1 0xaf 0x30 0xa0 0xc7 0x5c 0x57 0x35 0x9d 0x41 0xe0\r\nConfig Key (base64) = okKZBV8fDBTL3QsB36ZMNPX9Azyn8a8woMdcVzWdQeA= ====== Config\r\n====== Head = 0xad 0x29 0x2f 0xcb Check User is SYSTEM = 0 Mutex trigger = 0 Delete Loader\r\ntrigger = 0 Patch EtwEventWrite trigger = 1 Payload in Loader = 0 Payload Name Length = 14 Payload\r\nName = Despxs.dll Payload Size = 3f800 Payload FilePointor = 0 Payload CRC32 = 0x40 0xf6 0x8f 0xa7\r\nPayload Nonce (12 bytes) = 0x93 0x49 0x68 0x79 0x6a 0xda 0xb5 0xcf 0xf0 0xf1 0xb3 0x4f 22\r\n23.\r\n24. Dll Hollowing (cont.) https://github.com/forrest-orr/phantom-dll-hollower-poc 24\r\n25.\r\n26. .NET loader structure offset data offset 38(h) – 47 md5\r\nhash of offset 48 until end offset 48-53 Sha256 as AES key offset 54-67 MD5 as AES IV offset 68 - end\r\nEncrypted payload with AES(ECB) offset data offset 0-3 must be 1F A4 3A AC offset 4-7 the length of the\r\npayload offset 8 - end malware payload Version 2.63 offset Data offset 84(h) -93 md5 hash of offset 48\r\nuntil end offset 94-9f Sha256 as AES key offset a0-ab MD5 as AES IV offset ac - end Encrypted payload\r\nwith AES(ECB) offset data offset 0-3 must be 0C C0 73 95 offset 4-7 the length of the payload offset 8 -\r\nend malware payload Version 17.102 After decryption 26\r\n27. Funnyswitch loader ◆ Name from ptsecurity*, which will inject .NET\r\nbackdoor funny.dll in memory ◆ We found new version loader(mcvsocfg.dll) which may target McAfee\r\nuser ◆ E:\\VS2019_Project\\while_dll_ms\\whilte\\x64\\Release\\macoffe.pdb ◆ Another :\r\nE:\\\\VS2019_Project\\\\prewhiltedll\\\\x64\\\\Release\\\\prewhiltedll.pdb ◆ We found the new loader inject\r\nCobalt Strike and funny.dll *https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41- backdoors-old-and-new/ Cobaltstrike funnydll 27\r\n28.\r\nhttps://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021\r\nPage 3 of 8\n\n29. Early bird code injection Loader ◆ Using open source Alaris\r\nloader* to use syscalls to run cobalt strike ◆ Load PNG resource as payload and decrypt with RC4 ◆\r\nUsing Detour to hook the Freelibrary API of the launcher ◆ Using early bird code injection technique ◆\r\nNtTestAlert ◆ KiUserApcDispatcher *https://github.com/cribdragg3r/Alaris 29\r\n30.\r\n31.\r\n32. loader used by GroupCC 32 Signed file Temp.tmp winprint.exe rundll32.exe\r\n2.Create rundll32.exe Process 1.Read File binary Stage_1.shellcode 4.Read File 5.decode cobaltstrike\r\n3.Inject shellcode in rundll32 • winprint.exe first reads a piece of shellcode from the payload file and then\r\nopens rundll32.exe, calls RtlCreateUserThread to run the first stage shellcode in rundll32.exe • The first\r\nstage shellcode will read the payload file again, use VirtualAlloc to allocate memory in rundll32.exe, and\r\ninject the payload and decrypt it, finally, it will call EtwpCreateEtwThread to move the thread to the\r\nstarting point of the cobalt strike. GroupCC\r\n33. Backdoor Winnti is Coming - Evolution after Prosecution\r\n34.\r\n35.\r\n36.\r\n37. Shadowpad ◆ APT41 used the new builder of shadowpad in\r\n2021, which was mentioned in Ptsecurity’s report* which used new obfuscation method and decryption\r\nmethod for configuration ◆ We think this builder was a shared Tool, because we have also seen Naikon\r\nTeam use this builder ◆ Md5 of the loader:3520e591065d3174999cc254e6f3dbf5 37 def\r\ndecrypt_string(src): key = struct.unpack(\"\u003cH\", bytearray(src[0:2]))[0] data_len = struct.unpack(\"\u003cH\",\r\nbytearray(src[2:4]))[0] data = src[4:4+data_len] result = \"\" i=0 while(i \u003c data_len): tmp = key tmp += tmp\r\nkey = key + (( tmp * 8 ) \u0026 0xFFFFFFFF) + 0x107E666D result += chr(((HIBYTE(key) + BYTE2(key) +\r\nBYTE1(key) + LOBYTE(key)) ^ ord(data[i])) \u0026 0xFF) i+=1 return result\r\n*https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-\r\nbackdoors-old-and-new/ The method to decrypt the string of the configuration\r\n38. Shadowpad config example 38 id = 6/18/2021 11:26:19 AM Messenger\r\n= TEST Binary Path = %ALLUSERSPROFILE%\\Microsoft\\WinLSAM\\ Binary Name = LSAM.exe\r\nLoader Name = log.dll Payload Name = log.dll.dat Service Name = SystemAssociationManager Service\r\nDisplay Name = System Association Manager Service Description = This service provides support for the\r\ndevice association software. If this service is disabled, devices may be configured with outdated software,\r\nand may not work correctly. Registry Key Install = SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegistry Value Name = LocalSystemAssociationManager Inject Target 1 =\r\n%windir%\\system32\\svchost.exe Inject Target 2 = %windir%\\system32\\wininit.exe Inject Target 3 = Inject\r\nhttps://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021\r\nPage 4 of 8\n\nTarget 4 = Supposed to have 4 server Server1 = TCP://1dfpi2d8kx.wikimedia.vip:443 Server2 = Server3 =\r\nServer4 = Socket 1 = SOCKS4 Socket 2 = SOCKS4 Socket 3 = SOCKS5 Socket 4 = SOCKS5 DNS 1 =\r\n8.8.8.8 DNS 2 = 8.8.8.8 DNS 3 = 8.8.8.8 DNS 4 = 8.8.8.8 config offset:0x96\r\n39. Shadowpad Decryption Routine 39 Old Version\r\n40.\r\n41. Natwalk ◆ Dropped by chatloader ◆ First seen in the\r\nwild in 2021/3, and first seen on VT in 2020/9 ◆ Shellcode based backdoor ◆ It uses register + offset to\r\ncall the Windows api (also used by crosswalk) ◆ The name is from the unique file path it will look up :\r\n“%AllUserProfile%\\UTXP\\nat\\” rbx = 7FEF1431534 41\r\n42.\r\n43.\r\n44. Natwalk(cont.) command description 0x64 Close sessions 0x5C Update the ChaCha20\r\nkey for C2 communication 0x66 Change the current status 0x74 Terminate all threads 0x78 kill process\r\n0x7c Run plug-in 0x82 Enumerate user info 0x8c Send config to C2 0x8E Load additional config 44\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Intern et Settings ProxyServer texplorer.exe\r\n%AllUsersProfile%\\UTXP\\nat\\ %02X POST Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36 gtsid:\r\ngtuvid: https://msdn.microsoft.com https://www.google.com https://www.twitter.com\r\nhttps://www.facebook.com Unique string in the bottom of Natwalk\r\n45.\r\n46.\r\n47. HIGHNOON command ◆ Command is same as the HIGHNOON mentioned\r\nby Macnica* in 2018 command description 0 Bind Network Socket 1 Check IP address change and\r\nReceive Packet, Console Output 3 Console Output 4 Read //DEV//NULL and Console Output 5 Check IP\r\naddress change and Receive Packet, Console Output *https://hitcon.org/2018/pacific/downloads/1214-\r\nR2/1330-1400.pdf 47\r\n48.\r\n49.\r\n50.\r\n51.\r\n52. Fastly (GroupCC) 52 BeaconType - HTTPS Port - 443 SleepTime\r\n- 1000 MaxGetSize - 1398119 Jitter - 10 MaxDNS - Not Found PublicKey_MD5 -\r\n9ee3e0425ade426af0cb07094aa29ebc C2Server - pypi.python.org,/latest/pip-check UserAgent -\r\nMozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nhttps://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021\r\nPage 5 of 8\n\nChrome/84.0.4147.125 Safari/537.36 HttpPostUri - /latest/check … PipeName - Not Found DNS_Idle -\r\nNot Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found SSH_Username - Not\r\nFound SSH_Password_Plaintext - Not Found SSH_Password_Pubkey - Not Found SSH_Banner - Host:\r\npypi2-python.org … Watermark - 426352781 … ProcInject_AllocationMethod - VirtualAllocEx\r\nbUsesCookies - True HostHeader - Host: pypi2-python.org … pypi2-python.org.global.prod.fastly.net\r\npypi2-python.org Real C2 IP\r\n53.\r\n54. Cobalt strike payload Same Xor key: 0x3A Funnyswitch dropper which\r\ninjected cobalt strike ITW Url Fishmaster operation – TAG-22* Funnyswitch dropper which injected\r\nfunnydll Connection of APT41 and fishmaster operation New builder of Shadowpad IR case Same PDB\r\nstring * https://www.recordedfuture.com/chinese-group- tag-22-targets-nepal-philippines-taiwan/\r\n55.\r\n56. GroupCC Fishmaster BIOPASS RAT Python Script (local online server)\r\n57. GroupCC Fishmaster BIOPASS RAT Python Script (C1222 module)\r\n58.\r\n59. GroupCC Used(stolen) certificate ◆ Quickteck.com ◆ Serial Number : 70\r\nD8 96 11 7E 15 30 2C 7E EF EC B2 89 B3 BF E0 ◆ 주식회사 엘리시온랩(Elysion Lab Co., Ltd.) ◆\r\nSerial Number : 03 D4 33 FD C2 46 9E 9F D8 78 C8 0B C0 54 51 47 ◆ ARGOS LABS ◆ Serial Number\r\n: 00 F7 B7 5C 60 5B 00 83 95 73 8A AC 06 AB E3 B4 70 ◆ 1.A Connect GmbH ◆ Serial Number : 00\r\nA7 E4 DE D4 BF 94 9D 15 AA 42 01 84 3F 1A B6 4D 59\r\n60.\r\n61. Amoeba v.s Fishmaster v.s GroupCC 61 ◆ Amoeba v.s. Fishmaster\r\n◆ Two possibilities ◆ Shared C2 ◆ 163.138.137.235 ◆ 93.180.156.77 ◆ Shared customized\r\nCoboltStrike ◆ Xor key : 0x3A ◆ Fishmaster v.s. GroupCC ◆ Shared Tool : Biopass RAT ◆ Similar\r\nTTPs ◆ Uses some stolen or revoked certificate ◆ Uses Legitimate installer ◆ Use aliyun as payload\r\nsites Amoeba Fishmaster GroupCC\r\n62.\r\n63.\r\n64. HW operation(護網行動) ◆ To detect the security issues of key\r\nnational infrastructure, and to test their event monitoring and ability to quickly coordinate with emergency\r\nincident ◆ The target involves many industries, including government, finance, electricity, and business\r\nkey enterprises in China. ◆ From OSINT, the operation started from 4/8 in 2021 64\r\nhttps://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021\r\nPage 6 of 8\n\n65. 南京木百文化传媒有限公司.exe\r\n66. Maybe link to HW operation 66 Cobalt strike loader in\r\nIR case which use alaris loader with resource png payload Same loader 南京木百文化传媒有限公司.exe\r\nFunnyswitch Same unique shellcode in caculating api hash 调整中移在线服务有限公司 职工五险一金\r\n缴纳比例的通 知.exe Cobalt strike loader in IR case which used early bird code injection VPN统一身份\r\n证认证 ID.exe 运维安全管理与审计系统 单点登录插件.exe Same Cobalt strike payload header\r\n67.\r\n68. IOC 68 ◆ Chatloader 7ee9b79f4b5e19547707cbd960d4292f\r\nF5158addf976243ffc19449e74c4bbad 1015fa861318acbbfd405e54620aa5e3\r\na1d972a6aa398d0230e577227b28e499 ◆ .NET\r\nloader bd2d24f0ffa3d38cb5415b0de2f58bb3 ◆ Funnyswitch loader\r\ne0a9d82b959222d9665c0b4e57594a75 07a61e3985b22ec859e09fa16fd28b85\r\nd720ac7a6d054f87dbafb03e83bcb97c F85d1c2189e261d8d3f0199bbdda3849\r\n5b2a9a12d0c5d44537637cf04d93bec5 ◆ Early bird code injection loader\r\n4598c75007b3cd766216086415cc4335 Fd6ae1b8713746e3620386a5e6454a8d\r\nb028b4f8421361f2485948ca7018a2b0 ◆ Natwalk 1d36404f85d94bea6c976044cb342f24\r\n7c6e75e70d29e77f78ea708e01e19c36 ◆ HIGHNOON loader 407b5200c061123c9bd32e7eea21a57b\r\n5b99fa01c72cebc53a76cc72e9581189 ◆ Funnydll e0a9d82b959222d9665c0b4e57594a75 ◆ Spyder\r\nfba77006e8f8f3db6aac86211fa047fb ◆ Shadowpad af7cef9e0e6601cae068b73787e3ae81\r\n69. IOC 69 symantecupd.com microsoftonlineupdate.dynamic- dns.net www.sinnb.com\r\npip.pythoncdn.com img.hmmvm.com reg.pythoncdn.com bbwebt.com\r\nns1.tkti.me test.tkti.me ns1.microsofts.freeddns.com api.aws3.workers.dev ns1.hkserch.com\r\ngodaddy1.txwl.pw godaddy2.txwl.pw ns.cdn06.tk update.facebookdocs.com ns1.dns-dropbox.com\r\nns.cloud20.tk ns.cloud01.tk ns1.token.dns05.com sculpture.ns01.info work.cloud20.tk work.cloud01.tk\r\nhelp01.softether.net cloud.api-json.workers.dev update.microsoft-api.workers.dev up.linux-headers.com\r\np.samkdd.com ns1.microsoftskype.ml ns1.hongk.cf ns1.163qq.cf 163qq.cf depth.ddns.info\r\nyjij4bpade.nslookup.club ooliviaa.ddns.info mootoorheaad.ns01.info token.dns04.com\r\nns1.watson.misecure.com vt.livehost.live sociomanagement.com ns1.hash-prime.com wntc.livehost.live\r\nsmtp.biti.ph perfeito.my cdn.cdnfree.workers.dev www.microsofthelp.dns1.us ns1.mssetting.com\r\nwww.corpsolution.net www.mircoupdate.https443.net publicca.twhinet.workers.dev microgoogle.ml\r\nwww.google-dev.tk api.gov-tw.workers.dev 103.255.179.54 www.omgod.org 154.223.175.70\r\n687eb876e047.kasprsky.info zk4c9u55.wikimedia.vip 193.38.54.110 api.aws3.workers.dev\r\n4iiiessb.wikimedia.vip 45.32.123.1 158.247.215.150 ntp.windows-time.com trulwkg5c.tg9f6zwkx.icu\r\nwindowsupdate.microsoft.365filtering.com wustat.windows.365filtering.com ti0wddsnv.wikimedia.vip\r\n70.\r\nhttps://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021\r\nPage 7 of 8\n\n71. aragorn@51882@gmail.com THANK YOU!\r\nSource: https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021\r\nhttps://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021\r\nPage 8 of 8\n\n https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021 \nMutex trigger 0x4 Delete Loader trigger 0x4 Patch EtwEventWrite trigger 0x4 Process Hollowing trigger\n0x4 Injected Process Name Length(x2) InjectedProcess Name Length(x2) InjectedProcess Name 0x4\nPayload in Loader 0x4 Payload Name Length(x2) Payload Name Length(x2) Payload Name 0x4 Payload\nSize 0x4 Payload FilePointor 0x4 Payload crc32 0xC Payload Nonce length data 0x4 Header 0x4 Check\nUser is SYSTEM 0x4 Mutex trigger 0x4 Delete Loader trigger 0x4 Patch EtwEventWrite trigger 0x4\nPayload in Loader 0x4 Payload Name Length(x2) Payload Name Length(x2) Payload Name 0x4 Payload\nSize 0x4 Payload FilePointor 0x4 Payload crc32 0xC Payload Nonce Header:CB2F29AD \nHeader:8BD6488B 21 \n22. Chatloader config example ====== Decrypt Config ====== Config Nonce (12 \nbytes) = 0xb5 0x5e 0x14 0x8d 0x46 0xe1 0x2e 0x97 0x5d 0x3d 0x75 0xf1 Config Nonce (base64) =\ntV4UjUbhLpddPXXx Config CRC32 = 0xe 0xdc 0xac 0xad Config CRC32 (base64) = DtysrQ== \nCiphertext length = 48 Config Key = 0xa2 0x42 0x99 0x5 0x5f 0x1f 0xc 0x14 0xcb 0xdd 0xb 0x1 0xdf\n0xa6 0x4c 0x34 0xf5 0xfd 0x3 0x3c 0xa7 0xf1 0xaf 0x30 0xa0 0xc7 0x5c 0x57 0x35 0x9d 0x41 0xe0\nConfig Key (base64) = okKZBV8fDBTL3QsB36ZMNPX9Azyn8a8woMdcVzWdQeA= ====== Config\n====== Head = 0xad 0x29 0x2f 0xcb Check User is SYSTEM = 0 Mutex trigger = 0 Delete Loader \ntrigger = 0 Patch EtwEventWrite trigger = 1 Payload in Loader = 0 Payload Name Length = 14 Payload\nName = Despxs.dll Payload Size = 3f800 Payload FilePointor = 0 Payload CRC32 = 0x40 0xf6 0x8f 0xa7\nPayload Nonce (12 bytes) = 0x93 0x49 0x68 0x79 0x6a 0xda 0xb5 0xcf 0xf0 0xf1 0xb3 0x4f 22 \n23. \n24. Dll Hollowing (cont.) https://github.com/forrest-orr/phantom-dll-hollower-poc 24 \n25. \n26. .NET loader structure offset data offset 38(h)-47 md5 \nhash of offset 48 until end offset 48-53 Sha256 as AES key offset 54-67 MD5 as AES IV offset 68-end\nEncrypted payload with AES(ECB) offset data offset 0-3 must be 1F A4 3A AC offset 4-7 the length of the\npayload offset 8-end malware payload Version 2.63 offset Data offset 84(h)-93 md5 hash of offset 48\nuntil end offset 94-9f Sha256 as AES key offset a0-ab MD5 as AES IV offset ac -end Encrypted payload\nwith AES(ECB) offset data offset 0-3 must be 0C C0 73 95 offset 4-7 the length of the payload offset 8-\nend malware payload Version 17.102 After decryption 26 \n27. Funnyswitch loader ◆ Name from ptsecurity*, which will inject .NET \nbackdoor funny.dll in memory ◆ We found new version loader(mcvsocfg.dll) which may target McAfee\nuser ◆ E:\\VS2019_Project\\while_dll_ms\\whilte\\x64\\Release\\macoffe.pdb ◆ Another : \nE:\\\\VS2019_Project\\\\prewhiltedll\\\\x64\\\\Release\\\\prewhiltedll.pdb ◆ We found the new loader inject \nCobalt Strike and funny.dll *https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat\u0002 \nintelligence/higaisa-or-winnti-apt-41- backdoors-old-and-new/ Cobaltstrike funnydll 27 \n28. \n Page 3 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021" ], "report_names": [ "winnti-is-coming-evolution-after-prosecution-at-hitcon2021" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439130, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32343e29daac413e21a72ed25decf3be28f7c0e2.pdf", "text": "https://archive.orkl.eu/32343e29daac413e21a72ed25decf3be28f7c0e2.txt", "img": "https://archive.orkl.eu/32343e29daac413e21a72ed25decf3be28f7c0e2.jpg" } }