{ "id": "0f980bfb-5623-4abf-ac84-bdddb69f3719", "created_at": "2026-04-06T00:15:40.213775Z", "updated_at": "2026-04-10T13:12:48.159445Z", "deleted_at": null, "sha1_hash": "9ef48e2993b8c6d2a3ad99cd6a416658f153f7f7", "title": "Winnti FAQ. More Than Just a Game", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 299266, "plain_text": "Winnti FAQ. More Than Just a Game\r\nBy GReAT\r\nPublished: 2013-04-11 · Archived: 2026-04-05 14:56:54 UTC\r\nToday Kaspersky Lab’s team of experts published a detailed research report that analyzes a sustained\r\ncyberespionage campaign conducted by the cybercriminal organization known as Winnti.\r\nAccording to report, the Winnti group has been attacking companies in the online video game industry since 2009\r\nand is currently still active.\r\nThe group’s objectives are stealing digital certificates signed by legitimate software vendors in addition to\r\nintellectual property theft, including the source code of online game projects.\r\nThe attackers’ favorite tool is the malicious program we called “Winnti”. It has evolved since its first use, but all\r\nvariants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.In\r\nour report we publish an analysis of the first generation of Winnti.\r\nThe second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping\r\nthe victim to interrupt data transfer and isolate infections in the corporate network. The incidents, as well as results\r\nof our investigation, are described in the full report (PDF) on the Winnti group.\r\nThe Executive Summary is available here.\r\nIs this research about a gaming Trojan from 2011? Why do you think it is significant?\r\nThis research is about a set of industrial cyberespionage campaigns and a criminal organization which massively\r\npenetrates many software companies and plays a very important role in the success of cyberespionage campaigns\r\nof other malicious actors.\r\nIt is important to be aware of this threat actor to understand the broader picture of cyberattacks coming from Asia.\r\nHaving infected gaming companies that do business in the MMORPG space, the attackers potentially get access to\r\nmillions of users. So far, we don’t have data that the attackers stole from common users but we do have at least 2\r\nincidents where the Winnti malware was planted on an online game update servers and these malicious\r\nexecutables were spread among a large number of the online gamers. The samples we observed seemed not to be\r\nmalware targeting end user gamers, but a malware module which accidentally got into wrong place. Hoever, the\r\npotential for attackers to misuse such access to infect hundreds of millions of Internet users creates a major global\r\nrisk.\r\nIt’s important to understand that many gaming companies do business not only in gaming, but very often they are\r\nalso developers or publishers of different other types of software. We have tracked an incident where a\r\ncompromised company served an update of their software which included a Trojan from the Winnti hacking team.\r\nThat became an infection vector to penetrate another company, which in turn led to a personal data leak of large\r\nnumber of its customers.\r\nhttps://securelist.com/winnti-faq-more-than-just-a-game/57585/\r\nPage 1 of 7\n\nSo far, this research is dedicated to a malicious group that not only undermines trust in fair gameplay but has a\r\nserious impact on trust in software vendors in general, especially in the regions where the Winnti group is active at\r\nthe moment.\r\nWhat are the malicious purposes of this Trojan?\r\nThe Trojan, or to be precise, a penetration kit called Winnti includes various modules to provide general purpose\r\nremote access to compromised machines. This includes general system information collection, file and process\r\nmanagement, creating chains of network port redirection for convenient data exfiltration and remote desktop\r\naccess.\r\nIs this attack still active?\r\nYes, despite active steps to stop the attackers by the revocation of digital certificates, detection of the malware and\r\nan active investigation, the attackers remain active, with at least several victim companies around the world being\r\nactively compromised.\r\nWhat is the potential impact for common users?\r\nThe malware in question does not target common users at the moment. With the use of that malware, the attackers\r\nare targeting online game software developer companies. So far we have not discovered malware with marks of\r\nWinnti team origin that targets common users but it is not improbable that such malware exists.\r\nWhat is the possible damage for gaming companies?\r\nThe malware has been known to steal digital certificates used by gaming companies, which allows the attackers to\r\ndistribute malicious software signed by trusted entities. Also, we’ve observed attempts to steal intellectual\r\nproperty belonging to gaming companies such as source code and internal systems design.\r\nWho are the attackers? What countries are they from?\r\nOur research revealed that the attackers’ used Chinese language in the code of the malware; they used Chinese\r\nlocale in their Windows servers and they have been using a number of IP addresses in China. There are a number\r\nof other indicators, such as nicknames, timezones and more showing that the attackers are located in the People’s\r\nRepublic of China.\r\nFor example, multiple virtual personas related to the Winnti malware appeared on specific Chinese forums about\r\nhacking/vulnerabilities/network security topics. We have tracked one such persona down to ad tenancy in\r\nLuoyang, Central China.\r\nhttps://securelist.com/winnti-faq-more-than-just-a-game/57585/\r\nPage 2 of 7\n\nWho are the victims? What is the scale of the attack?\r\nThe majority of the victims are software development companies, most of which are producing online video\r\ngames from South East Asia. We have counted 35 unique compromised businesses over the last year and a half.\r\nFrom the other side we revealed 227 domain names created by the attackers and used as Command \u0026 Control\r\nservers in different campaigns.\r\nWhy are the attackers focused on on SE Asia?\r\nThis is most likely related to the geography of the attackers’ home and their interests in local software developers.\r\nIt seems that the attackers were interested in gaining access to local popular software vendors. The reason behind\r\nthat is unclear, they probably wanted to get a hold on digital certificates and access to software production\r\nprocesses of local software developers to be able to attack other local organizations or get a potential to infect a\r\nlarge number of local users at any time.\r\nHow are users (both home and corporate) protected against those types of attack?\r\nAll Kaspersky Lab customers are protected now with regular updates of anti-malware bases. We would like to\r\nrecommend that all other users to stay cautious when opening attachments that arrive in suspicious e-mails as this\r\nwas exactly the technique used to spread the malware.\r\nhttps://securelist.com/winnti-faq-more-than-just-a-game/57585/\r\nPage 3 of 7\n\nCan you describe the different stages of this attack? For example, did the attackers compromise gaming\r\ncompanies servers first, and then use the compromised servers (and signed certificates) to distribute\r\nmalware to end-users (gamers)?\r\nIn most of cases we have seen targeted attacks which started from a spear phishing email sent to one or a few\r\ncompany mailboxes. The emails had a malicious attachment in self-extracting or regular archive with an\r\nexecutable. We haven’t seen any zero-day vulnerabilities used by this particular group. After the initial penetration\r\nof a corporate network, the attackers uploaded a set of tools to the infected machine to scan the network resources,\r\nescalate privileges and locate the most valuable information in the attacked organization. Next, the attackers\r\nexfiltrated stolen data in compressed form to one of their C\u0026C servers on the internet, normally by using back-connect TCP channel through a chain of simple TCP-proxy applications.\r\nAs for the compromised server, yes we have seen incidents when the malware was available for download from\r\npublic server of gaming companies, but the component we have seen on the server wasn’t enough to successfully\r\ninfect end-users’ machines and most likely got there by accident.\r\nHow are the attackers profiting from this? Is it done by online game manipulations or are they making\r\nmoney by stealing personal user data/files/credentials from infected machines via the backdoor (not related\r\nto in-game play)?\r\nWe believe that the main objective of the attackers is to collect digital certificates, steal intellectual property of the\r\nsoftware developing companies, which normally includes source code of their products, and theft of in-game\r\nvirtual gold/currency in MMORPGs. While digital certificates could be sold on the underground market to other\r\nattackers, the source code brings more opportunities from in-game exploitation of vulnerabilities to create of\r\nshadow copies of the online game business in the local region of the attackers.\r\nIf it’s done via in-game play, can you explain how this is done? Are they exploiting vulnerabilities in the\r\ncompromised games to create rogue amounts of in-game currency (gold/runes/coins/etc) and then sell the\r\nfake in-game currency to other players for real money?\r\nWe currently don’t have full confirmation that the attackers abused games to generate fake currencies as we didn’t\r\nhave full access to the gaming servers that were compromised by the attackersbut, according to some reports from\r\nthe gaming companies, some malicious modules were injected into the process of game servers and most likely\r\nwere used to manipulate the internal state of the process, which most likely leads to production of rogue amounts\r\nof in-game currency or any other valuable game objects.\r\nWhich gaming companies were targeted? Which games were targeted?\r\nWe disclose the list of companies which digital certificates were stolen and abused by the attackers. However, the\r\nlist doesn’t include all compromised companies we know. Some of the companies we worked with voluntarily\r\nassisted our research and investigation but preferred to remain anonymous. Below is the list of companies that had\r\ntheir certificates stolen:\r\nESTsoft Corp\r\nKog Co., Ltd.\r\nLivePlex Corp\r\nhttps://securelist.com/winnti-faq-more-than-just-a-game/57585/\r\nPage 4 of 7\n\nMGAME Corp\r\nRosso Index KK\r\nSesisoft\r\nWemade\r\nYNK Japan\r\nGuangzhou YuanLuo\r\nFantasy Technology Corp\r\nNeowiz\r\nAlso Winnti samples contain tags that could mean companies that were breached or had been compromised and to\r\nwhich the samples are/were destined. Among them we have recognized following companies:\r\nCayenne Entertainment Technology Co.,Ltd, Taiwan, tag: Wasabii\r\nAsiaSoft, Thailand, tag: asiasoft\r\nGameNet, Russia, tag: GameNet\r\nNEXON Corporation, Japan, tag: nexon\r\nVNG Corporation, Viet nam, tag: zing\r\nTrion Worlds, USA, tag: TRIONWORLD\r\nEYAsoft, South Korea, tag: eyaap80\r\nNCsoft, South Korea, tags: aion5000, aion2008\r\nZemi Interactive, South Korea, tag: zemi\r\nNHN Corporation, South Korea, tag: NHN\r\nHangame Japan, Japan, tag: hangame.jp\r\nDid you identify any unique characteristics during your analysis that indicated who the attackers might be?\r\nYes, we were able to collect a few unique characteristics of the attackers:\r\nThe time zone when the attackers were active: most likely between GMT +07 and GMT+09.\r\nChinese simplified locale set in the resource section of some malicious modules. Chinese text strings used\r\nin the report messages of some modules.\r\nChinese hacking team name used as a password for special backdoor.\r\nChinese user profiles involved in posting control messages on public Internet resources (blogs and forums).\r\nChinese system locale used at C\u0026C servers (via RDP connection).\r\nhttps://securelist.com/winnti-faq-more-than-just-a-game/57585/\r\nPage 5 of 7\n\nHave any of these characteristics been identified in other targeted campaigns not related to gaming?\r\nCertificates of gaming companies were used in attacks against Tibetan and Uyghur activists:\r\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits-45/35465/\r\nhttps://www.f-secure.com/weblog/archives/00002524.html\r\nSome additional industries including the aerospace:\r\nhttps://www.alienvault.com/blogs/labs-research/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild\r\nWe also observed that SK Communications, the owner of the largest social network CyWorld in South Korea and\r\nthe popular South Korean web portal Nate, had been hacked back in 2011 and an infection spread there from\r\nanother company ESTsoft to which the Winnti team had first penetrated:\r\nhttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2013/04/20082912/C5_APT_SKHack.pdf\r\nCould the Winnti attackers be involved in any additional campaigns that occurred in the past?\r\nBased on the general perception of the Winnti operations, we believe that the attackers that currently form the\r\nWinnti group used to be members of Chinese underground hacking teams. It is most likely that they were\r\nattacking various entities including businesses and individuals as members of those groups, but united in Winnti\r\ngroup they have started doing that routinely, systematically and under well-organized management. The ex-members of various hacking teams were united and started doing penetrations at a professional level.\r\nWhat does this campaign mean to someone who isn’t an online gamer or gaming company? Is the Winnti\r\nCrew attacking other targets as well?\r\nhttps://securelist.com/winnti-faq-more-than-just-a-game/57585/\r\nPage 6 of 7\n\nThere have been few incidents when non-gaming companies were compromised, however the main focus of the\r\nWinnti group is currently game developers. Nevertheless there is no reason why the Winnti group wouldn’t move\r\nto other types of businesses in the future, because their attack tools are universal and may be used against any\r\nother target.\r\nAre there any unique infection symptoms that end-users should be aware of (BSOD, open ports, etc.)?\r\nThe malware that we have analyzed uses rootkit approach while running on the system. It starts as a system driver\r\nand loads additional components in memory. The end-user will most likely see no changes compared to the\r\nuninfected system.\r\nWhat should companies in the gaming industry do to verify their servers weren’t compromised?\r\nThe easiest way for system administrators would be to deploy an anti-malware engine in a product or a standalone\r\ntool (such as Kaspersky Security Scan) as all the malicious files are currently detected with our anti-malware\r\ndatabases.\r\nWhat should end-users do to check if their systems were compromised?\r\nIt is possible for a common user to manually check if the system is compromised. Normally it can be recognized\r\nby local files on disk with names apphelp.dll and winmm.dll which are located outside %WINDIR%System32\r\ndirectory. Traditionally, the attackers place these files in %WINDIR%, which is a good indicator of a\r\ncompromised system.\r\nSource: https://securelist.com/winnti-faq-more-than-just-a-game/57585/\r\nhttps://securelist.com/winnti-faq-more-than-just-a-game/57585/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/winnti-faq-more-than-just-a-game/57585/" ], "report_names": [ "57585" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434540, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ef48e2993b8c6d2a3ad99cd6a416658f153f7f7.pdf", "text": "https://archive.orkl.eu/9ef48e2993b8c6d2a3ad99cd6a416658f153f7f7.txt", "img": "https://archive.orkl.eu/9ef48e2993b8c6d2a3ad99cd6a416658f153f7f7.jpg" } }