{ "id": "f5d2c3c2-0b37-421f-8337-68bf1422c59e", "created_at": "2026-04-06T00:13:37.00948Z", "updated_at": "2026-04-10T13:12:16.587627Z", "deleted_at": null, "sha1_hash": "8645583eea4dea7637acac308440d25fb743ba77", "title": "Winnti (LEAD/APT17) Evolution - Going Open Source", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 496817, "plain_text": "Winnti (LEAD/APT17) Evolution - Going Open Source\r\nBy Tom \"Hollywood\" Hegel\r\nPublished: 2025-07-11 · Archived: 2026-04-05 14:15:55 UTC\r\nThis post was originally published on July 11, 2025, in the offical ProtectWise.com blog. We have since moved it\r\nto this 401TRG blog and backdated appropriately.\r\nUpdate #1: We have published a new post contining additional Winnti details.\r\nIf you would like to automate the intake of these indicators, please see our GitHub Detections repo.\r\nUpdate #2: To better document and share the details of this post with the community, we're going to change form\r\nreferring to this group as \"Winnti\" to the more appropriate \"LEAD\" title. Winnti originated in 2009 as a single\r\ngroup but more current intelligence indicates that the original group can now be better defined as the Winnti\r\numbrella, which LEAD and BARIUM are within.\r\nProtectWise recently observed a burst of activity and change of tactics from an advanced actor group commonly\r\nreferred to as “Winnti.” The purpose of this post is to share details of the group’s recent activity in an effort to\r\nassist the public in searching for related activity in their networks and preventing future attacks.\r\nAbout Winnti\r\nThe Winnti group has been active since roughly 2009. Significant previous research has been published on the\r\ngroup from a variety of sources, such as Kaspersky, Blue Coat, and TrendMicro. As far back as 2009, the group\r\nwas detected attacking multiple video game studios, including some in South Korea and Japan, likely attempting\r\nto steal various in-game currencies and to compromise developers’ certificates and source code. The original\r\nWinnti group is now split into LEAD (APT17) and BARIUM. This activity is associated with LEAD.\r\nObjectives:\r\nTheft of digital certificates\r\nUse of stolen certificates to sign malware\r\nTheft of gaming source code and infrastructure details\r\nTTPs:\r\nKnown Toolset: PIVY, Chopper, PlugX, ZxShell, Winnti\r\nPhishing HR/recruiting emails for initial infection vector\r\nCHM email file attachments containing malware\r\nUse of GitHub for C2 communication\r\nTargets:\r\nhttps://401trg.pw/winnti-evolution-going-open-source/\r\nPage 1 of 7\n\nOnline video game organizations\r\nDefense Sector\r\nInternet Service Providers\r\nFinance\r\nAttribution:\r\nOriginating Location: China (high confidence)\r\nPotential Aliases: Wicked Panda, APT17, Mana\r\nWithin the Winnti campaigns observed by ProtectWise, the use of open source tooling was common. Specifically,\r\nthe group has been utilizing the Browser Exploitation Framework (BeEF) and Metasploit Meterpreter. The use of\r\nopen source tools by advanced actor groups has become increasingly common, as discussed by our colleagues in\r\nthe industry. To the best of our knowledge this is a new technique for the Winnti group and we expect it to be used\r\nin future attacks.\r\nAlso noteworthy are attempts to deliver JAR files containing macOS applications which have meterpreter\r\nfunctionality. In addition, victims running Windows were delivered MSI files which were built using a free EXE\r\nto MSI converter (http://www.exetomsi.com/).\r\nhttps://401trg.pw/winnti-evolution-going-open-source/\r\nPage 2 of 7\n\nFigure 1: Summary of attack progression.\r\nDelivery:\r\nThe Winnti campaign detailed in this post began with spear phishing emails aimed at a Japanese gaming studio’s\r\nstaff. At least one of these emails claimed it was from an applicant for a job posting who was listing their relevant\r\nexperience, along with a link to their resume.\r\nFigure 2: Winnti Phishing Email.\r\nhttps://401trg.pw/winnti-evolution-going-open-source/\r\nPage 3 of 7\n\nThe approximate translation of the Winnti phishing email is as follows:\r\n“I saw your job posting. My main languages are Object-C, JAVA, and Swift, and I have 7 years experience with\r\nRuby and 6 years experience with PHP. I have 5 years experience developing iOS apps, as well as Android apps,\r\nAWS, Jenkins, Microsoft Azure, ZendFramework, and smartphone application payment processing. I also have 5\r\nyears experience with MSSQL, Mysql, Oracle, and PostgreSQL. Please see here: ”\r\nWe observed Winnti using two different techniques when the link was clicked. In the first technique, the user was\r\ndirected to an HTML page which loaded a fake English resume. In the second technique, which we only observed\r\na few times, the landing page directly downloaded a JAR file to the victim’s machine.\r\nFigure 3: Fake resume loaded in browser. Some items blurred as content may have been stolen.\r\nhttps://401trg.pw/winnti-evolution-going-open-source/\r\nPage 4 of 7\n\nFigure 4: Fake resume continued.\r\nLanding:\r\nIn cases where the above resume is loaded, it is delivered as follows:\r\nPhishing Email Link}/?session={date}{ID}\r\nThis page is an HTML file containing a simple iframe instruction to load real.html.\r\nFigure 5: Link-click landing page HTML content.\r\nreal.html\r\nThis is the HTML file containing the fake resume which will load in browser for the link-click victim. It contains\r\na script which loads the BeEF hook script from a separate external host. The group’s infrastructure changes\r\nrapidly, occasionally allowing us to observe them modifying the hook page destination domain over the span of a\r\nfew minutes. Sometimes the same destination would be referred to by IP in one version of real.html and by\r\nhostname in another. Two additional files, resume_screen.css and mypic.jpg, are also loaded to make the resume\r\nlook more realistic with improved formatting.\r\nhttps://401trg.pw/winnti-evolution-going-open-source/\r\nPage 5 of 7\n\nFigure 6: Added hook.js load request placed in fake resume.\r\nAt this point, in cases where BeEF has been used, exploits are typically attempted on victim hosts with the help of\r\nBeEF modules. A commonly used module was Jenkins_groovy_code_exec.\r\nEvasion Techniques:\r\nOne of the Winnti group’s distinctive techniques is their particular style of DNS resolution for their C2 domains.\r\nChoosing domain names which are similar to valid domains (for example, google-statics[.]com, a misspelling of\r\nGoogle statistics, instead of analytics.google.com), the group configures their DNS so that the root domain\r\nresolves to either nothing, or localhost (previous research has observed the root domain resolving to the valid\r\ndomain it is imitating; we did not observe that in this campaign). Then a subdomain resolves to an actual C2\r\nserver. For example, google-statics[.]com, one of the C2 domains observed in this campaign, has no resolutions at\r\ntime of writing. css.google-statics[.]com, however, resolves to a real C2 IP.\r\nAs observed in previous Winnti attacks, the group uses commonly accepted and poorly monitored protocols and\r\nports for their C2 communication (ports 53, 80, 443). With the addition of BeEF, the group has made use of TCP\r\nport 8000 as well. Amusingly, the group's use of BeEF has been fairly rudimentary, not even taking advantage of\r\nthe basic obfuscation features included in the program. We observed the group using GAGAHOOK instead of the\r\ndefault BEEFHOOK session name and BEEFSESSION session cookie name.\r\nFigure 7: BeEF hook.js request.\r\nAs in previous Winnti campaigns, the group continues to use legitimate code signing certificates, stolen from\r\nonline gaming organizations, to sign their malware. This technique can help to hide the malicious intent of the\r\ngroup’s code, allowing it to run in environments where execution is restricted to signed/trusted programs. While\r\nunconfirmed as of this writing, we believe the Winnti group is continuing to steal and use certificates from new\r\norganizations.\r\nAssociated Indicators:\r\nhttps://401trg.pw/winnti-evolution-going-open-source/\r\nPage 6 of 7\n\nNote: We are redacting the malware hashes while we work with the organization whose digital signature was used\r\non the malware as a potential victim of the Winnti group.\r\nIndicator Type Description\r\njob.yoyakuweb[.]technology Domain Phishing email link destination.\r\nresume.immigrantlol[.]com Domain Phishing email link destination.\r\nmacos.exoticlol[.]com Domain Likely phishing email link destination.\r\ncss.google-statics[.]com Domain BeEF Landing and C2.\r\nminami[.]cc Domain Potential BeEF - Low confidence (Linode).\r\nvps2java.securitytactics[.]com Domain Malware C2.\r\n106.184.5.252 IP Phishing email link destination.\r\n61.78.62.21 IP Used in BeEF C2, reused Winnit Infra.\r\n139.162.106.19 IP Linode - Used in BeEF C2.\r\n172.104.101.131 IP Linode - Malware C2.\r\n139.162.17.161 IP Linode - Used in BeEF C2.\r\n133.242.145.137 IP Linode - Used in BeEF C2.\r\n106.185.31.128 IP Linode - hosting BeEF landings.\r\nSource: https://401trg.pw/winnti-evolution-going-open-source/\r\nhttps://401trg.pw/winnti-evolution-going-open-source/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://401trg.pw/winnti-evolution-going-open-source/" ], "report_names": [ "winnti-evolution-going-open-source" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434417, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8645583eea4dea7637acac308440d25fb743ba77.pdf", "text": "https://archive.orkl.eu/8645583eea4dea7637acac308440d25fb743ba77.txt", "img": "https://archive.orkl.eu/8645583eea4dea7637acac308440d25fb743ba77.jpg" } }