{ "id": "e1aebdee-5a98-4b9a-bfe5-806a8019bbab", "created_at": "2026-04-06T00:22:01.33531Z", "updated_at": "2026-04-10T03:36:00.002251Z", "deleted_at": null, "sha1_hash": "b52b55541ba3a2f05e5b45cfa755fd73f721f5f8", "title": "Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 307993, "plain_text": "Winnti APT41 Targets Japanese Firms in RevivalStone Cyber\r\nEspionage Campaign\r\nBy The Hacker News\r\nPublished: 2025-02-18 · Archived: 2026-04-05 14:40:41 UTC\r\nThe China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that\r\ntargeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024.\r\nThe activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend\r\nMicro as Earth Freybug, which has been assessed to be a subset within the APT41 cyber espionage group. It's also\r\nmonitored by Cybereason under the name Operation CuckooBees, and by Symantec as Blackfly.\r\nAPT41 has been described as a highly skilled and methodical actor with the ability to mount espionage attacks as\r\nwell as poison the supply chain. Its campaigns are often designed with stealth in mind, leveraging a bevy of tactics\r\nto achieve its goals by using a custom toolset that not only bypasses security software installed in the\r\nenvironment, but also harvests critical information and establishes covert channels for persistent remote access.\r\n\"The group's espionage activities, many of which are aligned with the nation's strategic objectives, have targeted a\r\nwide range of public and private industry sectors around the world,\" LAC said.\r\nhttps://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html\r\nPage 1 of 3\n\n\"The attacks of this threat group are characterized by the use of Winnti malware, which has a unique rootkit that\r\nallows for the hiding and manipulation of communications, as well as the use of stolen, legitimate digital\r\ncertificates in the malware.\"\r\nWinnti, active since at least 2012, has primarily singled out manufacturing and materials-related organizations in\r\nAsia as of 2022, with recent campaigns between November 2023 and October 2024 targeting the Asia-Pacific\r\n(APAC) region exploiting weaknesses in public-facing applications like IBM Lotus Domino to deploy malware as\r\nfollows -\r\nDEATHLOTUS - A passive CGI backdoor that supports file creation and command execution\r\nUNAPIMON - A defense evasion utility written in C++\r\nPRIVATELOG - A loader that's used to drop Winnti RAT (aka DEPLOYLOG) which, in turn, delivers a\r\nkernel-level rootkit named WINNKIT by means of a rootkit installer\r\nCUNNINGPIGEON - A backdoor that uses Microsoft Graph API to fetch commands – file and process\r\nmanagement, and custom proxy – from mail messages\r\nWINDJAMMER - A rootkit with capabilities to intercept TCPIP Network Interface, as well as create\r\ncovert channels with infected endpoints within intranet\r\nSHADOWGAZE - A passive backdoor reusing listening port from IIS web server\r\nThe latest attack chain documented by LAC has been found to exploit an SQL injection vulnerability in an\r\nunspecified enterprise resource planning (ERP) system to drop web shells such as China Chopper and Behinder\r\n(aka Bingxia and IceScorpion) on the compromised server, using the access to perform reconnaissance, collect\r\ncredentials for lateral movement, and deliver an improved version of the Winnti malware.\r\nThe intrusion's reach is said to have been expanded further to breach a managed service provider (MSP) by\r\nleveraging a shared account, followed by weaponizing the company's infrastructure to propagate the malware\r\nfurther to three other organizations.\r\nLAC said it also found references to TreadStone and StoneV5 in the RevivalStone campaign, with the former\r\nbeing a controller that's designed to work with the Winnti malware and which was also included in the I-Soon (aka\r\nAnxun) leak of last year in connection with a Linux malware control panel.\r\nhttps://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html\r\nPage 2 of 3\n\n\"If TreadStone has the same meaning as the Winnti malware, it is only speculation, but StoneV5 could also mean\r\nVersion 5, and it is possible that the malware used in this attack is Winnti v5.0,\" researchers Takuma Matsumoto\r\nand Yoshihiro Ishikawa said.\r\n\"The new Winnti malware has been implemented with features such as obfuscation, updated encryption\r\nalgorithms, and evasion by security products, and it is likely that this attacker group will continue to update the\r\nfunctions of the Winnti malware and use it in attacks.\"\r\nThe disclosure comes as Fortinet FortiGuard Labs detailed a Linux-based attack suite dubbed SSHDInjector that's\r\nequipped to hijack the SSH daemon on network appliances by injecting malware into the process for persistent\r\naccess and covert actions since November 2024.\r\nThe malware suite, associated with another Chinese nation-state hacking group known as Daggerfly (aka Bronze\r\nHighland and Evasive Panda), is engineered for data exfiltration, listening for incoming instructions from a remote\r\nserver to enumerate running processes and services, perform file operations, launch terminal, and execute terminal\r\ncommands.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html\r\nhttps://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html" ], "report_names": [ "winnti-apt41-targets-japanese-firms-in.html" ], "threat_actors": [ { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "315bd857-79cc-46f2-896f-aeb0fc576b49", "created_at": "2024-04-28T02:00:03.693599Z", "updated_at": "2026-04-10T02:00:03.62936Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [], "source_name": "MISPGALAXY:Earth Freybug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "10e4e1de-afe4-4a62-b46d-07800c801a17", "created_at": "2024-04-24T02:02:07.562188Z", "updated_at": "2026-04-10T02:00:04.560334Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [ "Earth Freybug" ], "source_name": "ETDA:Earth Freybug", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "UNAPIMON" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434921, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b52b55541ba3a2f05e5b45cfa755fd73f721f5f8.pdf", "text": "https://archive.orkl.eu/b52b55541ba3a2f05e5b45cfa755fd73f721f5f8.txt", "img": "https://archive.orkl.eu/b52b55541ba3a2f05e5b45cfa755fd73f721f5f8.jpg" } }