{ "id": "076ea225-2688-4f7f-b90d-bf163eda692b", "created_at": "2026-04-06T00:06:09.543433Z", "updated_at": "2026-04-10T03:32:26.649454Z", "deleted_at": null, "sha1_hash": "3a623b3b402039a425497e1ec9936ef76ed265ed", "title": "Winnti: Attacking the Heart of the German Industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 492308, "plain_text": "Winnti: Attacking the Heart of the German Industry\r\nBy BR Data\r\nArchived: 2026-04-05 19:46:15 UTC\r\nWinnti: Attacking the Heart of the German Industry\r\nFor a number of years now, a group of professional hackers has been busy spying on businesses all over the world:\r\nWinnti. Believed to be controlled by China. For the first time, in a joint investigation, German public broadcasters\r\nBR and NDR are shedding light on how the hackers operate and how widespread they are.\r\nUnser Bericht zur digitalen „Söldnertruppe“, die Industriespionage betreibt.\r\nMalware:\r\nMalicious software, like computer viruses or Trojans.\r\nThis investigation starts with a code: daa0 c7cb f4f0 fbcf d6d1. If you know what to look for, you’ll find Winnti.\r\nHackers who have been spying on businesses all over the world for years. A group, presumably China-based, has\r\nhoned in on Germany and its DAX corporations. For the first time ever, BR and NDR reporters have successfully\r\nanalyzed hundreds of the malware versions used for that unsavory purpose. The targets: At least six DAX\r\ncorporations, the stock-listed top companies of the German industry.\r\nWinnti is a highly complex structure that is difficult to penetrate. The term denotes both a sophisticated malware\r\nand an actual group of hackers. IT security experts like to call them digital mercenaries. Since at least 2011, these\r\nhackers have been using malware to spy on corporate networks. Their mode of operation: to collect information\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 1 of 13\n\non the organizational charts of companies, on cooperating departments, on the IT systems of individual business\r\nunits, and on trade secrets, obviously.\r\nAsked about the group an IT security expert who has been analyzing the attacks for years replies, tongue in cheek:\r\n“Any DAX corporation that hasn’t been attacked by Winnti must have done something wrong.” A high-ranking\r\nGerman official says: “The numbers of cases are mind-boggling.” And claims that the group continues to be\r\nhighly active—to this very day. The official’s name will remain undisclosed, as will names of the more than 30\r\npeople whom we were able to interview for this article: Company staff, IT security experts, government officials,\r\nand representatives of security authorities. They are either not willing or not allowed to speak frankly. But they are\r\nallowed to reveal some of their tactics.\r\nThis allows us to find the software and to figure out for ourselves how the attackers work. Thanks to the help\r\nreceived from the informers, we, the reporters, are able to get on to the group. Part of their trail is the following\r\ncode: daa0 c7cb f4f0 fbcf d6d1.\r\nLogging:\r\nThe hackers’ individual steps are stored in log files.\r\nModern-day espionage operations have one big advantage: Instead of painstakingly planting agents in companies,\r\ndigital spies are simply sending prepared emails. Instead of taking pictures of confidential documents while the\r\nrest of the staff is out to lunch, hackers can remotely log on to company computers and send their commands from\r\ntheir keyboard. But every hacking operation also comes with a huge drawback. It leaves digital traces. If you\r\nnotice hackers, you can log their every step. The hackers themselves have no clue that they are under meticulous\r\nscrutiny, sometimes even for months at a time.\r\nTo decipher the traces of hackers, you need to take a closer look at the program code of the malware itself. It can\r\nbe found in databases operated by private companies like “Virustotal.” The company is owned by Google and is a\r\nkind of malware search engine. The information stored in that database is so valuable to IT consultants and\r\nsecurity companies that they pay thousands of Euros per month for accessing it. Anybody who is unsure whether a\r\nmail attachment contains a Trojan can have it checked in that database by more than 50 antivirus programs. In\r\nreturn, Virustotal stores the file with the aid of a digital fingerprint. This digital fingerprint allows others to search\r\nfor the file and to analyze the codes it contains. People like ourselves.\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 2 of 13\n\nC:\\Windows\\system32\\\r\nwbem\\system.dat\r\n3047 ed57 acac 30c2\r\n327e 7407 0b38 64b7\r\nC:\\Windows\\system32\\\r\nwbem\\system.dat\r\n3047 ed57 acac 30c2\r\n327e 7407 0b38 64b7\r\nEvery file has a digital fingerprint—which makes is clearly identifiable.\r\nIn former times, it was solely the job of intelligence agencies to uncover espionage operations. Nowadays,\r\ncorporations and IT security companies prefer to employ staff earning six-figure salaries for that purpose. Their\r\njob is to search the corporate networks and Virustotal for evidence of hacker groups. After all, it is the companies\r\nthey work for which are being spied on—and the companies’ secret formulas and building plans warrant absolute\r\nprotection. Professionally, these employees are on a par with the security services. It is one of those professionals\r\nwho meets with us and hands us a piece of paper.\r\n“This might help you find the hackers”, the gentleman tells us. He believes that because they are spying on so\r\nmany targets at the same time, they have to figure out how to keep track. He also believes that the hackers chose\r\nconvenience over anonymity. We soon realize how incredibly negligent the hackers are. We are working with\r\nMoritz Contag, an IT security expert affiliated with Ruhr University Bochum (RUB). What we find: The hackers\r\nare writing the names of the companies they want to spy on directly into their malware. Contag has analyzed more\r\nthan 250 variations of the Winnti malware and found them to contain the names of global corporations.\r\nOpsec:\r\nOperational Security. It is a collective term for all the steps taken by hackers to cover their tracks.\r\nHackers usually take precautions, which experts refer to as Opsec. The Winnti group’s Opsec was dismal to say\r\nthe least. Somebody who has been keeping an eye on Chinese hackers on behalf of a European intelligence service\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 3 of 13\n\nbelieves that they didn’t really care: “These hackers don’t care if they’re found out or not. They care only about\r\nachieving their goals.\"\r\nThe sheet of paper the staff member is showing us has a code printed on it: daa0 c7cb f4f0 fbcf d6d1. We are\r\nlooking for the same string of characters in Virustotal, the gigantic database of infected files. And we succeed.\r\nStep 1: At the end of a Windows file we find the following code: daa0 c7cb f4f0 fbcf d6d1. This is the data stream\r\nin which Winnti hackers are hiding their commands.\r\nStep 2: It is a piece of cake to unmask the data. From this point, it is easy to see what the hackers are up to. daa0\r\nc7cb f4f0 fbcf d6d1 transforms into C:\\Windows, a file path on the Microsoft operating system.\r\nStep 3: For the hackers to keep track of which network they are currently invading, they simply write it directly\r\ninto their program. In the example shown herein, the Winnti hackers are inside the networks of Gameforge.\r\nPhase 1: Cybercrime\r\nIt would seem that during the early stages, the hackers were concerned mainly about making money. Gameforge is\r\na case in point: a gaming company based in the German town of Karlsruhe. During its heyday, the company had a\r\nstaff of 700 working hard at conquering the global gaming market, and boasted annual sales to the tune of 140\r\nmillion Euros. Gameforge offers so-called “freemium” games. While playing the games is free, those who want\r\nmore either have to earn virtual money by completing certain tasks, which takes a long time, or shell out real\r\nmoney.\r\nWe are told that in 2011, an email message found its way into Gameforge’s mailbox in Karlsruhe. A staff member\r\nopened the attached file and unbeknownst to him started the hackers’ Winnti program. Shortly afterwards, a few\r\nplayers became virtual rich persons.\r\nThe administrators became aware that someone was directly accessing Gameforge’s databases and raising the\r\naccount balance. They started getting worried. How could this be happening? The technicians used the next\r\nmaintenance interval to reinstall the servers of the affected game. The players didn’t have a clue about what’s\r\ngoing on. No sooner were the servers back up than the manipulations continued.\r\nGameforge was using Kaspersky antivirus software, which didn't cause any alarm bells to ring. Gameforge\r\narranged for Kaspersky's IT security experts to come directly to Karlsruhe. Because obviously there was\r\nsomething weird going on. Nobody informed the State Bureau of Criminal Investigation or the local police. The\r\nyear was 2011, and many investigators were barely familiar with the term or concept of cybercrime.\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 4 of 13\n\nWhile keeping an eye on Gameforge’s corporate network, the IT security experts did find suspicious files and\r\ndecided to analyze them. They noticed that the system had in fact been infiltrated by hackers—who were acting\r\nlike Gameforge’s administrators most of the time. Which allowed them to remain invisible. It turned out that the\r\nhackers have taken over a total of 40 servers.\r\nPersistent:\r\nIt is very hard to permanently remove the hackers from the network.\r\nThis mode of operation is typical of many hacker groups—and especially of Winnti. “They are a very, very\r\npersistent group,” says Costin Raiu, who has been watching Winnti since 2011. Raiu is in charge of Kaspersky’s\r\nmalware analysis team. “Once the Winnti hackers are inside a network, they take their sweet time to really get a\r\nfeel for the infrastructure,” he says.\r\nThe hackers will map a company’s network and look for strategically favorable locations for placing their\r\nmalware. They keep tabs on which programs are used in a company and then exchange a file in one of these\r\nprograms. The modified file looks like the original, but was secretly supplemented by a few extra lines of code.\r\nFrom now on, this manipulated file does the attackers’ bidding.\r\nWinnti is very specific to Germany. It is the attacker group that's being encountered most frequently.\r\nAnonymous government official\r\nRaiu and his team have followed the digital tracks left behind by some of the Winnti hackers. “Nine years ago,\r\nthings were much more clear-cut. There was a single team, which developed and used Winnti. It now looks like\r\nthere is at least a second group that also uses Winnti.” This view is shared by many IT security companies. And it\r\nis this second group which is getting the German security authorities so worried. One government official puts it\r\nvery matter-of-factly: “Winnti is very specific to Germany. It is the attacker group that's being encountered most\r\nfrequently.\"\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 5 of 13\n\nPhase 2: Industrial espionage\r\nBy 2014, the Winnti malware code was no longer limited to game manufacturers. The second group’s job is\r\nmainly industrial espionage. Hackers are targeting high-tech companies as well as chemical and pharmaceutical\r\ncompanies. We find evidence going as far as mid-2019. Cases of espionage which were probably still ongoing\r\nwhen we discovered them. Winnti is attacking companies in Japan, France, the U.S. and Germany. Or more\r\nprecisely: in Düsseldorf.\r\nMost people probably know the DAX company Henkel as a manufacturer of detergents and shampoos. But\r\nHenkel offers a huge range of other products, including adhesives for industrial applications. Modern cars are\r\nglued instead of welded. In a commercial on Youtube, Henkel shows staff members successfully joining two metal\r\nplates with just three grams of adhesive and then using the plates to pull a 280-ton train. Nearly half of Henkel’s\r\nannual sales of 20 billion Euros are generated by Henkel’s so-called “adhesive technologies\".\r\nThe Winnti hackers broke into Henkel’s network in 2014. We have three files showing that this happened. Each of\r\nthese files contains the same website belonging to Henkel and the name of the hacked server. For example, one\r\nstarts with the letter sequence DEDUSSV. We realize that server names can be arbitrary, but it is highly probable\r\nthat DE stands for Germany and DUS for Düsseldorf, where the company headquarters are located. The hackers\r\nwere able to monitor all activities running on the web server. And they also seemed to be able to reach systems\r\nwhich didn't have direct internet access: Internal storage files and possibly even the intranet.\r\nThe corporation confirms the Winnti incident and issues the following statement: “The cyberattack was discovered\r\nin the summer of 2014 and Henkel promptly took all necessary precautions.” Henkel claims that a “very small\r\nportion” of its worldwide IT systems had been affected— the systems in Germany. According to Henkel, there\r\nwas no evidence suggesting that any sensitive data had been diverted.\r\nHow we worked\r\nBR and NDR reporters, in collaboration with several IT security experts, have analyzed the Winnti malware. It\r\nwas notably Moritz Contag of Ruhr University Bochum who managed to extract information from different\r\nvarieties of the malware. Contag wrote a script for this analysis. You can find it here. Silas Cutler, an IT security\r\nexpert with US-based Chronicle Security, has confirmed Contag’s analyses.\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 6 of 13\n\nA collaboration between and\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 7 of 13\n\nFar from attacking Henkel and the other companies arbitrarily, Winnti takes a highly strategic approach. Which is\r\nperfectly evident from the other cases. Take Covestro, for example, also a manufacturer of adhesives, lacquers and\r\npaints. This chemical corporation, a Bayer spin-off, is now listed on the DAX. Covestro is regarded as Germany’s\r\nmost successful spin-off in the recent past. Up until June 2019, they had at least two systems on which the Winnti\r\nmalware had been installed. Although there is no concrete evidence of data loss, Covestro considers “this evidence\r\nof infection to be a serious attack on our company.” Another manufacturer of adhesives, Bostik of France, was\r\ninfected with Winnti in early 2019.\r\nThe hackers behind Winnti have also set their sights on Japan’s biggest chemical company, Shin-Etsu Chemical.\r\nWe have in our hands several varieties of the 2015 malware which was most likely used for the attack. In the case\r\nof another Japanese company, Sumitomo Electric, Winnti apparently penetrated their networks during the summer\r\nof 2016. And consider Roche, one of the largest pharmaceutical companies in the world: the sheer number of files,\r\n25 in total, gives you an idea of the degree of network penetration by the hackers. Winnti hackers also penetrated\r\nthe BASF and Siemens networks. Both corporations have confirmed our research data.\r\nA BASF spokeswoman tells us in an email that in July 2015, hackers had successfully overcome “the first levels”\r\nof defense. “When our experts discovered that the attacker was attempting to get around the next level of defense,\r\nthe attacker was removed promptly and in a coordinated manner from BASF’s network.” She added that no\r\nbusiness relevant information had been lost at any time. According to Siemens, they were penetrated by the\r\nhackers in June 2016. “We quickly discovered and thwarted the attack,” Siemens told us in a written reply.\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 8 of 13\n\nSiemens claims that even after detailed analyses, no evidence suggesting data loss from the attack has been found\r\nto date.\r\nTargeted companies\r\nGaming: Gameforge, Valve\r\nSoftware: Teamviewer\r\nTechnology: Siemens, Sumitomo, Thyssenkrupp\r\nPharma: Bayer, Roche\r\nChemical: BASF, Covestro, Shin-Etsu\r\nBostik, Sumitomo and Shin-Etsu didn’t respond to our requests for comments at all. Roche chose to keep their\r\nresponse neutral. A spokesperson replied that “information security and data protection are taken very seriously.”\r\nNearly all major corporations now emphasize that there is no such thing as one hundred percent protection.\r\nHacking attacks on large companies have become almost commonplace. And yet: No company really likes to talk\r\nabout having hackers in its own networks. In many cases, customers are not informed. They are justifiably scared\r\nof damage to their reputation.\r\nTeamviewer is a case in point. A company based in the southwest of Germany, a bona fide Silicon Valley\r\ncontender, and a true showpiece enterprise. It was quickly traded at a nine-digit valuation, the highest accolade for\r\na newly incorporated enterprise. Then came the Winnti hackers. “Spiegel” magazine was the first to report about\r\nit.\r\nThe corporation offers a remote maintenance software solution which, according to Teamviewer, is installed on\r\ntwo billion devices. To imagine the mayhem a hacker might cause by infiltrating the end users’ devices via the\r\nTeamviewer application—it boggles the mind. But things didn’t get that far for Teamviewer, the company assures\r\nus. They add that they replaced their entire IT infrastructure and spent millions on removing the hackers from their\r\nnetworks in 2016.\r\nThe second way to find Winnti\r\nFor the IT departments, the infected computers are extremely difficult to detect. That is because a new variety of\r\nthis malware remains perfectly passive as long as it is left alone. How can you find something that’s playing dead?\r\nSince 2018 there’s a public tool available designed to systematically trawl the Internet for these infected systems.\r\nThis network scan works by luring the software out of its hiding spot.\r\nEach company has its own IP address range. The IP address is a computer’s unique address. This is how\r\ncomputers can be reached via the Internet.\r\nOnce the Winnti malware has infected a computer, it initially behaves passively. Winnti is now waiting for control\r\ncommands.\r\nWith the aid of special software we send requests to different company networks. The software per se is harmless,\r\nbut capable of simulating control commands designed to lure Winnti out of hiding.\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 9 of 13\n\nIn all cases where Winnti was installed, the malware will respond to our request. This tells us: That company has\r\nbeen hacked.\r\nHave you kept count?\r\nSo far, ten companies have been affected, most of them in Germany.\r\nThis tool hit pay dirt at Covestro and Bostik. Many IT companies are taking the same route to find Winnti infected\r\ncomputers; some of the results have been leaked to us—in the strictest confidence. Thanks to this tool, we found\r\nout back in March 2019 that the Bayer pharmaceutical group had been hacked by Winnti.\r\nThe tool was written by staff of Thyssenkrupp, because the industrial giant—company number eleven—had been\r\nspied on by Winnti. In 2016, the corporation allowed a reporter from “Wirtschaftswoche” to watch the attackers\r\nbeing pushed back. The magazine later wrote of a “six-month defensive battle.” The hackers had succeeded in\r\nextracting small data sets of importance for the construction of plants. The company mentions “data fragments”\r\nand believes that the hackers have missed their actual target, tapping into the corporation’s research results.\r\nThe trail leading to China\r\nAt Gameforge, the Winnti hackers had already been removed from the networks when a staff member noticed a\r\nWindows start screen with Chinese characters. Presumably, the hackers were using tools in their native language,\r\nwhich would have made their work easier. But they forgot to cover up their tracks. Just another mistake they\r\nmade, one of many.\r\nIn October 2016, several DAX corporations, including BASF and Bayer, founded the German Cyber Security\r\nOrganization (DCSO). The job of DCSO’s IT security experts is to observe and recognize hacker groups like\r\nWinnti and to get to the bottom of their motives. In Winnti’s case, DCSO speaks of a “mercenary force” which is\r\nsaid to be closely linked with the Chinese government. They have been tracking the group for a long time: “We\r\ncan, based on many, many indicators, say with high confidence that Winnti is being directed by the Chinese.”\r\nWe can, based on many, many indicators, say with high confidence that Winnti is being directed by the Chinese\r\nDror-John Röcher, DCSO\r\nMany of the experts we talked to believe that the group is operating out of mainland China. “I don’t care if the\r\nhackers work in green uniforms or are commissioned by people wearing green uniforms,” says an IT security\r\nexpert, alluding to a suspected proximity to the country’s military intelligence service.\r\nIt would seem that in the early days, Winnti hackers were still quite careless. One of them left many traces on the\r\nInternet. In 2013, the Kaspersky team was able to follow clues in their code. This is how Costin Raiu and his\r\ncolleagues came across a person using the alias “Mer4en7y.” This individual was active in hacker forums where\r\nhe commented in Chinese on a job offer for recruiting hackers. There was mention of a “powerful background.”\r\n“And ‘Mer4en7y’ replied that the job was too far away for him, but that he was in full support of the work,” says\r\nRaiu.\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 10 of 13\n\nOn 30 October 2018, the US government brought charges against ten Chinese nationals. Two of them are believed\r\nto be working for one of China’s intelligence services. Hackers are charged with spying on a manufacturer of gas\r\nturbines. Also charged in connection with the crime: “Mer4en7y”, who is believed to have been acting on behalf\r\nof the intelligence service and to have used the Winnti software for the hack. IT security experts attribute the\r\ncyberattack to a different Chinese group. But the charges filed are testimony to the close links between at least one\r\nWinnti hacker and the government.\r\nThe US government is accusing the individual going by the alias Mer4en7y of using the Winnti software\r\nJanka Oertel of the German Marshall Fund of the United States (GMF) in Berlin has been keeping a close eye on\r\nChina. Oertel considers it “very unlikely that large-scale cyber operations could be happening without at least\r\nparts of the Chinese party-state knowing about them.” Oertel, a political scientist, emphasizes that China wants to\r\nplay a “significant market role” in key industries such as materials research by 2025 and to dominate the world\r\nmarket by 2035. “In some of these areas, however, China has not yet managed to achieve its goals without\r\ntechnology transfers—including transfers from Germany,” Oertel adds.\r\nA government official familiar with the hacking cases agrees: “Cyber incidents allow us to draw conclusions as to\r\na nation’s true priorities.” The point, he believes, is to understand one’s own industry and to figure out what\r\ncannot be produced fast enough. The missing materials are then procured by hacking operations.\r\nBut a former staffer of a European intelligence agency warns: “If I wanted to hack anyone right now, I’d make it\r\nlook like a Chinese group.” He warns against underestimating the proficiency of hackers working for\r\ngovernments. After all, he says, laying false trails is their job.\r\nPeople working for the German intelligence agencies tell us that, although all current findings suggest that Winnti\r\noriginates from China, much of the evidence is based on data that is several years old. “We have a knowledge gap\r\nfor the past two to three years,” says one individual familiar with the incidents.”\r\nIf I wanted to hack anyone right now, I’d make it look exactly like a Chinese group.\r\nFormer staffer of a European intelligence agency\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 11 of 13\n\nWhile Germany does address industrial espionage in direct talks with the Chinese leadership, these attempts are\r\nconsidered a waste of time. “Fruitless,” says one individual who knows how these meetings work. The other side\r\ndenies everything, he says, and what’s left at the end of the day are meaningless declarations of intent. And the\r\nGermans are hesitant to provide concrete evidence—for fear of revealing to the Chinese leadership what they\r\nknow— for example, from the work of the Federal Intelligence Service (BND).\r\nThe BND is trawling the internet for specific groups of attackers. The agency received 300 million Euros to set up\r\na powerful surveillance system, among other things. The idea is to find hacker groups suspected of being\r\ngovernment backed and likely to cause damage to the Federal Republic. There is also talk of starting an\r\n“intelligence offensive” against Chinese groups of attackers. This means: Hacking into the networks. Spies\r\nwatching spies.\r\nPolitical espionage?\r\nCorporations like Bayer, Covestro, Roche and Bostik share a single common denominator: the chemical sector.\r\nHowever, analyses also show that a number of targets now affected are deviating from the known pattern. We are\r\ntalking about the possibility of political espionage. We have come across several indicators corroborating this\r\nsuspicion.\r\nThe Hong Kong government was spied on by the Winnti hackers. We found four infected systems thanks to the\r\nnetwork scan, and proceeded to inform the government by email. They confirm our findings: “Recently, it was\r\nfound that six Internet facing computers of two government departments returned positive results from a test for\r\nWinnti malware.” The affected computers did not contain any classified information or citizens’ personal data, and\r\nthere was “no evidence” that any data have been copied out, we are being told.\r\nThe network scan also sniffs out a telecommunications provider from India, which happens to be located precisely\r\nin the region where the Tibetan government in exile (the “Central Tibetan Administration”) has its headquarters.\r\nIncidentally, the relevant identifier in the malware is called “CTA.” A file which ended up on Virustotal in 2018\r\ncontained a pretty straightforward keyword: “tibet”. The CTA didn’t respond to our requests for comment.\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 12 of 13\n\nPodcast (in German): How we deciphered the code\r\nOn top of this there are campaigns which don’t seem to make a lot of sense unless you consider political\r\nespionage. Take Marriott, the hotel chain based in Maryland, USA. The corporation manages more than one\r\nmillion rooms worldwide. While Marriott hotels may be state-of-the-art, who would want to hack Marriott for\r\ncutting-edge technologies or innovative ideas? Who would want to spy on the Indonesian airline Lion Air for the\r\nsame reasons? Probably nobody. But hotels and airlines collect data. If you know how to access these data, you\r\nknow where people travel and where they spend the night. And if you also hack into telecommunications\r\ncompanies you know where these people are located at any given time. The Winnti hackers managed to penetrate\r\nthe networks of Lion Air and several telecommunications companies, and they at least did take Marriott into their\r\nsights. We have the relevant coded file in our hands.\r\nWhen reached for comment, the German government tells us that the security authorities have established\r\n“multiple platforms and discussion groups” for that matter. If required, affected companies can request\r\n“appropriate advice and assistance for cleaning up their systems and further prevention.” In July 2019 the Federal\r\nOffice for Information Security reached out to a company, whose name was included in a Winnti implant. We\r\nwere told that “generally speaking foreign intelligence agencies have established cyberattacks as a vital mode of\r\nacquiring more information.” According to the government, these hackers usually don’t have to fear political or\r\neconomical risks, “due to various obfuscation methods.\"\r\nThe German government’s response is elusive, when asked whether there is a connection between the Winnti\r\nhackers and the Chinese Government. They tell us that cyberattacks are taken seriously, no matter who is\r\nresponsible. We reached out to the Foreign Ministry of China and the embassy in Berlin with this and other\r\nquestions. We didn't hear back.\r\nRelated stories (in German):\r\nSource: http://web.br.de/interaktiv/winnti/english/\r\nhttp://web.br.de/interaktiv/winnti/english/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "http://web.br.de/interaktiv/winnti/english/" ], "report_names": [ "english" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433969, "ts_updated_at": 1775791946, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a623b3b402039a425497e1ec9936ef76ed265ed.pdf", "text": "https://archive.orkl.eu/3a623b3b402039a425497e1ec9936ef76ed265ed.txt", "img": "https://archive.orkl.eu/3a623b3b402039a425497e1ec9936ef76ed265ed.jpg" } }