{ "id": "819b1ff6-ef0a-4036-80ee-7c96d6a36b7e", "created_at": "2026-04-06T00:22:32.224434Z", "updated_at": "2026-04-10T03:32:20.617135Z", "deleted_at": null, "sha1_hash": "b7b6535cee4727e614a9216490109cae65482984", "title": "No “Game over” for the Winnti Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 790406, "plain_text": "No “Game over” for the Winnti Group\r\nBy Mathieu TartareMartin Smolár\r\nArchived: 2026-04-05 16:13:22 UTC\r\nIn February 2020, we discovered a new, modular backdoor, which we named PipeMon. Persisting as a Print Processor, it\r\nwas used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and\r\ndevelop MMO (Massively Multiplayer Online) games. Video games developed by these companies are available on popular\r\ngaming platforms and have thousands of simultaneous players.\r\nIn at least one case, the malware operators compromised a victim’s build system, which could have led to a supply-chain\r\nattack, allowing the attackers to trojanize game executables. In another case, the game servers were compromised, which\r\ncould have allowed the attackers to, for example, manipulate in-game currencies for financial gain.\r\nThe Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the software\r\nindustry, leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple video games)\r\nthat is then used to compromise more victims. Recently, ESET researchers also discovered a campaign of the Winnti Group\r\ntargeting several Hong Kong universities with ShadowPad and Winnti malware.\r\nAbout the “Winnti Group” naming:\r\nWe have chosen to keep the name “Winnti Group” since it’s the name first used to identify it, in 2013, by Kaspersky. Since\r\nWinnti is also a malware family, we always write \"Winnti Group\" when we refer to the malefactors behind the attacks. Since\r\n2013, it has been demonstrated that Winnti is only one of the many malware families used by the Winnti Group.\r\nAttribution to the Winnti Group\r\nMultiple indicators led us to attribute this campaign to the Winnti Group. Some of the C\u0026C domains used by PipeMon were\r\nused by Winnti malware in previous campaigns mentioned in our white paper on the Winnti Group arsenal. Besides, Winnti\r\nmalware was also found in 2019 at some of the companies that were later compromised with PipeMon.\r\nIn addition to Winnti malware, a custom AceHash (a credential harvester) binary found at other victims of the Winnti Group,\r\nand signed with a well-known stolen certificate used by the group (Wemade IO), was also used during this campaign.\r\nThe certificate used to sign the PipeMon installer, modules and additional tools is linked to a video game company that was\r\ncompromised in a supply-chain attack in late 2018 by the Winnti Group and was likely stolen at that time.\r\nInterestingly, PipeMon modules are installed in %SYSTEM32%\\spool\\prtprocs\\x64\\; this path was also used in the past to\r\ndrop the second stage of the trojanized CCleaner.\r\nAdditionally, compromising a software developer's build environment to subsequently compromise legitimate application is\r\na known modus operandi of the Winnti Group.\r\nTargeted companies\r\nCompanies targeted in this campaign are video game developers, producing MMO games and based in South Korea and\r\nTaiwan. In at least one case, the attackers were able to compromise the company's build orchestration server, allowing them\r\nto take control of the automated build systems. This could have allowed the attackers to include arbitrary code of their\r\nchoice in the video game executables.\r\nESET contacted the affected companies and provided the necessary information to remediate the compromise.\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 1 of 15\n\nTechnical analysis\r\nTwo different variants of PipeMon were found at the targeted companies. Only for the more recent variant were we able to\r\nidentify the first stage which is responsible for installing and persisting PipeMon.\r\nFirst stage\r\nPipeMon's first stage consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher.\r\nThe launcher writes the RARSFX to setup0.exe in a directory named with a randomly generated, eight-character, ASCII\r\nstring located in the directory returned by GetTempPath. Once written to disk, the RARSFX is executed with CreateProcess\r\nby providing the decryption password in an argument, as follows:\r\nsetup0.exe -p*|T/PMR{|T2^LWJ*\r\nNote that the password is different with each sample.\r\nThe content of the RARSFX is then extracted into %TMP%\\RarSFX0 and consists of the following files:\r\nCrLnc.dat – Encrypted payload\r\nDuser.dll – Used for UAC bypass\r\nosksupport.dll – Used for UAC bypass\r\nPrintDialog.dll – Used for the malicious print processor initialization\r\nPrintDialog.exe – Legitimate Windows executable used to load PrintDialog.dll\r\nsetup.dll – Installation DLL\r\nsetup.exe – Main executable\r\nNote that in the event of a folder name collision, the number at the end of the RarSFX0 string is incremented until a collision\r\nis avoided. Further, not all these files are necessarily present in the archive, depending on the installer.\r\nOnce extracted, setup.exe is executed without arguments. Its sole purpose is to load setup.dll using LoadLibraryA. Once\r\nloaded, setup.dll checks whether an argument in the format –x:n (where n is an integer) was provided; the mode of operation\r\nwill be different depending on the presence of n. Supported arguments and their corresponding behavior are shown in Table\r\n1. setup.exe is executed without arguments by the RARSFX, and checks whether it's running with elevated privileges. If not,\r\nit will attempt to obtain such privileges using token impersonation if the version of Windows is below Windows 7 build\r\n7601; otherwise it will attempt different UAC bypass techniques, allowing installation of the payload loader into one of:\r\nC:\\Windows\\System32\\spool\\prtprocs\\x64\\DEment.dll\r\nC:\\Windows\\System32\\spool\\prtprocs\\x64\\EntAppsvc.dll\r\nC:\\Windows\\System32\\spool\\prtprocs\\x64\\Interactive.dll\r\ndepending on the variant. Note that we weren’t able to retrieve samples related to Interactive.dll.\r\nTable 1. setup.exe supported arguments and their corresponding behavior.\r\nCommand line\r\nargument value\r\nBehavior\r\n-x:0 Load the payload loader.\r\n-x:1\r\nAttempt to enable SeLoadDriverPrivilege for the current process. If successful, attempt to install\r\nthe payload loader; otherwise, restart setup.exe with the –x:2 argument using parent process\r\nspoofing.\r\n-x:2\r\nAttempt to enable SeLoadDriverPrivilege for the current process. If successful, attempt to install\r\nthe payload loader.\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 2 of 15\n\nThis loader is stored encrypted within setup.dll, which will decrypt it before writing it to the aforementioned location.\r\nPersistence using Windows Print Processors\r\nThe location where the malicious DLL is dropped was not chosen randomly. This is the path where Windows Print\r\nProcessors are located and setup.dll registers the malicious DLL loader as an alternative Print Processor by setting one of the\r\nfollowing registry values:\r\nHKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Print Processors\\PrintFiiterPipelineSvc\\Driver\r\n= “DEment.dll”\r\nor\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\\lltdsvc1\\Driver =\r\n“EntAppsvc.dll”\r\ndepending on the variant. Note the typo in PrintFiiterPipelineSvc (which has no impact on the Print Processor installation\r\nsince any name can be used).\r\nAfter having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the\r\nmalicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC\r\nstartup, which ensures persistence across system resets.\r\nThis technique is really similar to the Print Monitor persistence technique (being used by DePriMon, for example) and, to\r\nour knowledge, has not been documented previously.\r\nAdditionally, the encrypted payload, CrLnc.dat, extracted from the RARSFX is written to the registry at the following\r\nlocation, depending on the installer:\r\nHKLM\\SOFTWARE\\Microsoft\\Print\\Components\\DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8\r\nHKLM\\SOFTWARE\\Microsoft\\Print\\Components\\A66F35-4164-45FF-9CB4-69ACAA10E52D\r\nThis encrypted registry payload is then loaded, decrypted and executed by the previously registered Print Processor library.\r\nThe whole PipeMon staging and persistence is shown in Figure 1.\r\nFigure 1. PipeMon staging and persistence\r\nPipeMon\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 3 of 15\n\nWe named this new implant PipeMon because it uses multiple named pipes for inter-module communication and according\r\nto its PDB path, the name of the Visual Studio project used by its developer is “Monitor”.\r\nAs mentioned previously, two different PipeMon variants were found. Considering the first variant, we couldn't retrieve the\r\ninstaller; thus, we don't know for sure the persistence technique that was used. But considering that this first variant of\r\nPipeMon was also located in the Print Processor directory, it's likely that the same persistence mechanism was used.\r\nOriginal variant\r\nPipeMon is a modular backdoor where each module is a single DLL exporting a function called IntelLoader and is loaded\r\nusing a reflective loading technique. Each module exhibits different functionalities that are shown in Table 2.\r\nThe loader, responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll and is located in\r\nthe Print Processors directory. The modules are stored encrypted on disk at the same location with inoffensive-looking\r\nnames such as:\r\nbanner.bmp\r\ncertificate.cert\r\nLicense.hwp\r\nJSONDIU7c9djE\r\nD8JNCKS0DJE\r\nB0SDFUWEkNCj.logN\r\nNote that .hwp is the extension used by Hangul Word Processor from Hangul Office, which is very popular in South Korea.\r\nThe modules are RC4 encrypted and the decryption key Com!123Qasdz is hardcoded into each module. Win32CmDll.dll\r\ndecrypts and injects the ManagerMain and GuardClient modules. The ManagerMain module is responsible for decrypting\r\nand injecting the Communication module, while the GuardClient module will ensure that the Communication module is\r\nrunning and reload it if necessary. An overview of how PipeMon operates is shown in Figure 2.\r\nWin32CmDll.dll first tries to inject the ManagerMain and GuardClient modules into a process with one of the following\r\nnames: lsass.exe, wininit.exe or lsm.exe. If that fails, it tries to inject into one of the registered windows services processes,\r\nexcluding processes named spoolsv.exe, ekrn.exe (ESET), avp.exe (Kaspersky) or dllhost.exe. As a last option, if everything\r\nelse failed, it tries to use the processes taskhost.exe, taskhostw.exe or explorer.exe.\r\nThe process candidates for Communication module injection must be in the TCP connection table with either 0.0.0.0 as the\r\nlocal address, or an ESTABLISHED connection and owning a LOCAL SERVICE token. These conditions are likely used to\r\nhide the Communication module into a process that is already communicating over the network so that the traffic from the\r\nCommunication module would seem inconspicuous and possibly also whitelisted in the firewall. If no process meets the\r\nprevious requirements, the ManagerMain module tries to inject the Communication module into explorer.exe. Processes\r\nbelonging to the Windows Store Apps and processes named egui.exe (ESET) and avpui.exe (Kaspersky) are ignored from\r\nthe selection.\r\nTable 2. PipeMon module descriptions and their respective PDB paths\r\nModule Name Description PDB Path\r\nWin32CmdDll\r\nDecrypts and loads the\r\nManagerMain and\r\nGuardClient modules.\r\nS:\\Monitor\\Monitor_RAW\\Launcher\\x64\\Release\\Win32CmdDll.pdb\r\nS:\\Monitor\\Monitor_RAW\\libs\\x64\\Release\\Win32CmdDll.pdb\r\nGuardClient\r\nPeriodically checks\r\nwhether the\r\nCommunication module is\r\nrunning and loads it if not.\r\nS:\\Monitor\\Monitor_RAW\\Client\\x64\\Release\\GuardClient.pdb\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 4 of 15\n\nModule Name Description PDB Path\r\nManagerMain\r\nLoads Communication\r\nmodule when executed.\r\nContains encrypted C\u0026C\r\ndomain which is passed to\r\nthe Communication\r\nmodule via named pipe.\r\nCan execute several\r\ncommands based on the\r\ndata received from the\r\nCommunication module\r\n(mostly system\r\ninformation collecting,\r\ninjecting payloads).\r\nS:\\Monitor\\Monitor_RAW\\Client\\x64\\Release\\ManagerMain.pdb\r\nCommunication\r\nResponsible for managing\r\ncommunication between\r\nthe C\u0026C server and\r\nindividual modules via\r\nnamed pipes.\r\nS:\\Monitor\\Monitor_RAW\\Client\\x64\\Release\\Communication.pdb\r\nF:\\PCC\\trunk\\CommunicationClient\\x64\\Release\\Communication.pdb\r\nAdditional modules can be loaded on-demand using dedicated commands (see below), but unfortunately, we weren't able to\r\ndiscover any of them. The names of these modules are an educated guess based on the named pipes used to communicate\r\nwith them:\r\nScreen\r\nRoute\r\nCMD\r\nInCmd\r\nFile\r\nInter-module communication\r\nInter-module communication is performed via named pipes, using two named pipes per communication channel between\r\neach individual module, one for sending and one for receiving. Table 3 lists the communication channels and their\r\ncorresponding named pipes.\r\nTable 3. PipeMon communication channel and their respective named pipes\r\nCommunication channel Named pipe\r\nCommunication, Screen\r\n\\\\.\\pipe\\ScreenPipeRead%CNC_DEFINED%\r\n\\\\.\\pipe\\ScreenPipeWrite%CNC_DEFINED%\r\nCommunication, Route \\\\.\\pipe\\RoutePipeWriite%B64_TIMESTAMP%\r\nCommunication, ManagerMain\r\n\\\\.\\pipe\\MainPipeWrite%B64_TIMESTAMP%\r\n\\\\.\\pipe\\MainPipeRead%B64_TIMESTAMP%\r\nGuardClient, ManagerMain \\\\.\\pipe\\MainHeatPipeRead%B64_TIMESTAMP%\r\nCommunication, InCmd\r\n\\\\.\\pipe\\InCmdPipeWrite%B64_TIMESTAMP%\r\n\\\\.\\pipe\\InCmdPipeRead%B64_TIMESTAMP%\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 5 of 15\n\nCommunication channel Named pipe\r\nCommunication, File\r\n\\\\.\\pipe\\FilePipeRead%B64_TIMESTAMP%\r\n\\\\.\\pipe\\FilePipeWrite%B64_TIMESTAMP%\r\nGuardClient, Communication \\\\.\\pipe\\ComHeatPipeRead%B64_TIMESTAMP%\r\nCommunication, CMD\r\n\\\\.\\pipe\\CMDPipeRead\r\n\\\\.\\pipe\\CMDPipeWrite\r\nThe %CNC_DEFINED% string is received from the C\u0026C server and %B64_TIMESTAMP% variables are base64-encoded\r\ntimestamps such as the ones shown in Table 4.\r\nTable 4. Example timestamps used with named pipes\r\n%BASE64_TIMESTAMP% Decoded timestamp\r\nMjAxOTAyMjgxMDE1Mzc= 20190228101537\r\nMjAxOTA1MjEyMzU2MjQ= 20190521235624\r\nMjAxOTExMjExMjE2MjY= 20191121121626\r\nFigure 2. PipeMon IPC scheme (original PipeMon variant)\r\nC\u0026C communication\r\nThe Communication module is responsible for managing communications between the C\u0026C server and the other modules\r\nvia named pipes, similar to the PortReuse backdoor documented in our white paper on the Winnti arsenal.\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 6 of 15\n\nIts C\u0026C address is hardcoded in the ManagerMain module and encrypted using RC4 with the hardcoded key\r\nCom!123Qasdz. It is sent to the Communication module through a named pipe.\r\nA separate communication channel is created for each installed module. The communication protocol used is TLS over TCP.\r\nThe communication is handled with the HP-Socket library. All the messages are RC4 encrypted using the hardcoded key. If\r\nthe size of the message to be transferred is greater than or equal to 4KB, it is first compressed using zlib’s Deflate\r\nimplementation.\r\nstruct CCMSG\r\n{\r\n BYTE is_compressed;\r\n CMD cmd;\r\n};\r\nstruct CMD\r\n{\r\n QWORD cmd_type;\r\n DWORD cmd_size;\r\n DWORD cmd_arg;\r\n BYTE data[cmd_size - 16];\r\n};\r\nstruct beacon_msg\r\n{\r\n BYTE isCompressed = 0;\r\n CMD cmd_hdr;\r\n WCHAR win_version[128];\r\n WCHAR adapters_addrs[128];\r\n WCHAR adapters_addrs[64];\r\n WCHAR local_addr[64];\r\n WCHAR malware_version[64];\r\n WCHAR computer_name[64];\r\n}\r\nFigure 3. C\u0026C message and beacon formats\r\nTo initiate communication with the C\u0026C server, a beacon message is first sent that contains the following information:\r\nOS version\r\nphysical addresses of connected network adapters concatenated with %B64_TIMESTAMP%\r\nvictim's local IP address\r\nbackdoor version/campaign ID; we've observed the following values\r\n\"1.1.1.4beat\"\r\n\"1.1.1.4Bata\"\r\n\"1.1.1.5\"\r\nVictim computer name\r\nThe information about the victim's machine is collected by the ManagerMain module and sent to the Communication\r\nmodule via the named pipe. The backdoor version is hardcoded in the Communication module in cleartext.\r\nThe format of the beacon message is shown in Figure 3 and the supported commands are shown in Table 5.\r\nTable 5. List of commands\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 7 of 15\n\nCommand type Command argument Description\r\n0x02 0x03 Install the File module\r\n0x03 0x03 Install the CMD module\r\n0x03 0x0B Install the InCmd module\r\n0x04 0x02 Queue command for the Route module\r\n0x04 0x03 Install the Route module\r\n0x05 * Send victim’s RDP information to the C\u0026C server\r\n0x06 0x05 Send OS, CPU, PC and time zone information to the C\u0026C server\r\n0x06 0x06 Send network information to the C\u0026C server\r\n0x06 0x07 Send disk drive information to the C\u0026C server\r\n0x07 * Send running processes information to the C\u0026C server\r\n0x09 * DLL injection\r\n0x0C 0x15 Send names of \"InCmd\" pipes and events to the C\u0026C server\r\n0x0C 0x16 Send name of \"Route\" pipe to the C\u0026C server\r\n0x0C 0x17 Send names of \"File\" pipes to the C\u0026C server\r\n* The argument supplied for this command type is ignored\r\nUpdated variant\r\nAs mentioned earlier, the attackers also use an updated version of PipeMon for which we were able to retrieve the first stage\r\ndescribed above. While exhibiting an architecture highly similar to the original variant, its code was likely rewritten from\r\nscratch.\r\nThe RC4 code used to decrypt the modules and strings was replaced by a simple XOR with 0x75E8EEAF as the key and all\r\nthe hardcoded strings were removed. The named pipes used for inter-module communication are now named using random\r\nvalues instead of explicit names and conform to the format \\\\.\\pipe\\%rand%, where %rand% is a pseudorandomly generated\r\nstring of 31 characters containing only mixed case alphabetic characters.\r\nHere, only the main loader (i.e. the malicious DLL installed as a Print Processor) is stored as a file on disk; the modules are\r\nstored in the registry by the installer (from the CrLnc.dat file) and are described in Table 6.\r\nTable 6. Updated modules\r\nModule\r\nname\r\nDescription\r\nCoreLnc.dll\r\nLoaded by the malicious Print Processor. Responsible only for loading the Core.dll module embedded\r\nin its .data section.\r\nCore.dll\r\nLoads the Net.dll module embedded in its .data section. Handles commands from the C\u0026C server and\r\ncommunications between individual modules and the C\u0026C server through named pipes.\r\nNet.dll New Communication module. Handles the networking.\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 8 of 15\n\nModule injection is not performed using the reflective loading technique with an export function anymore; custom loader\r\nshellcode is used instead and is injected along with the module to be loaded.\r\nThe C\u0026C message format was changed as well, and is shown in Figure 4.\r\nstruct CCMSG\r\n{\r\n BYTE is_compressed;\r\n CMD cmd;\r\n};\r\nstruct CMD\r\n{\r\n QWORD cmd_type;\r\n DWORD cmd_size;\r\n DWORD cmd_arg;\r\n BYTE data[cmd_size - 16];\r\n};\r\nstruct CCMSG\r\n{\r\n DWORD signature = 0xFA149DEB;\r\n DWORD not_used;\r\n WORD buff_size;\r\n WORD msgcode;\r\n BYTE buff[buff_size];\r\n};\r\nFigure 4. Previous (top) and updated (bottom) C\u0026C message format\r\nInterestingly, the backdoor’s configuration is encrypted and embedded in the loader DLL. The configuration contains:\r\nName of the registry value\r\nCampaign identifier\r\nC\u0026C IP addresses or domain names\r\nTimestamp (in FILETIME format) corresponding to the date from which to start using a second C\u0026C domain\r\nmarked with ‘#’ in the configuration.\r\nAn example of a configuration dump embedded in the loader DLL is shown in Figure 5. Configurations extracted from\r\nseveral loader DLLs are shown in Table 7.\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 9 of 15\n\nFigure 5. Example of decrypted configuration (with few zero-bytes removed because of image size)\r\nTable 7. Configuration extracted from several loaders\r\nLoader SHA-1\r\nCampaign\r\nID\r\nPayload registry\r\nname\r\nC\u0026C IP/domains\r\nAlternative dom\r\nactivation\r\ntimestamp\r\n6c97039605f93ccf1afccbab8174d26a43f91b20 KOR2\r\nDC20FD7E-4B1B-4B88-\r\n8172-\r\n61F0BED7D9E8\r\n154.223.215.116\r\nssl2.dyn-tracker.com\r\n#client.gnisoft.com\r\n0x01d637a797cf0\r\n(Monday, June 1,\r\n2020 12:00:00am\r\n97da4f938166007ce365c29e1d685a1b850c5bb0 KOR\r\nDC20FD7E-4B1B-4B88-\r\n8172-\r\n61F0BED7D9E8\r\n203.86.239.113\r\nssl2.dyn-tracker.com\r\n#client.gnisoft.com\r\n0x01d637a797cf0\r\n(Monday, June 1,\r\n2020 12:00:00am\r\n7ca43f3612db0891b2c4c8ccab1543f581d0d10c kor1\r\nDC20FD7E-4B1B-4B88-\r\n8172-\r\n61F0BED7D9E8\r\n203.86.239.113\r\nwww2.dyn.tracker.com\r\n(note the typo here:\r\ndyn.tracker instead of\r\ndyn-tracker)\r\n#nmn.nhndesk.com\r\n0x01d61f4b7500\r\n(Friday, May 1, 2\r\n12:00:00am)\r\nb02ad3e8b1cf0b78ad9239374d535a0ac57bf27e tw1 A66F35-4164-\r\n45FF-9CB4-\r\nssl.lcrest.com -\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 10 of 15\n\nLoader SHA-1\r\nCampaign\r\nID\r\nPayload registry\r\nname\r\nC\u0026C IP/domains\r\nAlternative dom\r\nactivation\r\ntimestamp\r\n69ACAA10E52D\r\nStolen code-signing certificate\r\nPipeMon modules and installers are all signed with the same valid code-signing certificate that was likely stolen during a\r\nprevious campaign of the Winnti Group. The certificate's owner revoked it as soon as they were notified of the issue.\r\nFigure 6. Code-signing certificate used to sign PipeMon first stage and modules before (top) and after (bottom) revocation.\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 11 of 15\n\nWe found on a sample sharing platform other tools signed with this certificate, such as HTRan, a connection bouncer, the\r\nWinEggDrop port scanner, Netcat, and Mimikatz which may have been used by the attackers as well.\r\nFurthermore, a custom AceHash build signed with a Wemade IO stolen certificate already mentioned in our previous white\r\npaper and usually used by the Winnti Group was found on some machines compromised with PipeMon.\r\nConclusion\r\nOnce again, the Winnti Group has targeted video game developers in Asia with a new modular backdoor signed with a code-signing certificate likely stolen during a previous campaign and sharing some similarities with the PortReuse backdoor. This\r\nnew implant shows that the Winnti Group is still actively developing new tools using multiple open source projects; they\r\ndon't rely solely on their flagship backdoors, ShadowPad and the Winnti malware.\r\nWe will continue to monitor new activities of the Winnti Group and will publish relevant information on our blog. For any\r\ninquiries, contact us at threatintel@eset.com. The IoCs are also available at our GitHub repository.\r\nIndicators of Compromise\r\nESET detection names\r\nWin64/PipeMon.A\r\nWin64/PipeMon.B\r\nWin64/PipeMon.C\r\nWin64/PipeMon.D\r\nWin64/PipeMon.E\r\nFilenames\r\n100.exe\r\n103.exe\r\nSlack.exe\r\nsetup.exe\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\DEment.dll\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\EntAppsvc.dll\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\Interactive.dll\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\banner.bmp\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\certificate.cert\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\banner.bmp\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\License.hwp\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\D8JNCKS0DJE\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\B0SDFUWEkNCj.log\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\K9ds0fhNCisdjf\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\JSONDIU7c9djE\r\n%SYSTEM32%\\spool\\prtprocs\\x64\\NTFSSSE.log\r\nAceHash64.exe\r\nmz64x.exe\r\nNamed pipes\r\n\\\\.\\pipe\\ScreenPipeRead%CNC_DEFINED%\r\n\\\\.\\pipe\\ScreenPipeWrite%CNC_DEFINED%\r\n\\\\.\\pipe\\RoutePipeWriite%B64_TIMESTAMP%\r\n\\\\.\\pipe\\MainPipeWrite%B64_TIMESTAMP%\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 12 of 15\n\n\\\\.\\pipe\\MainPipeRead%B64_TIMESTAMP%\r\n\\\\.\\pipe\\MainHeatPipeRead%B64_TIMESTAMP%\r\n\\\\.\\pipe\\InCmdPipeWrite%B64_TIMESTAMP%\r\n\\\\.\\pipe\\InCmdPipeRead%B64_TIMESTAMP%\r\n\\\\.\\pipe\\FilePipeRead%B64_TIMESTAMP%\r\n\\\\.\\pipe\\FilePipeWrite%B64_TIMESTAMP%\r\n\\\\.\\pipe\\ComHeatPipeRead%B64_TIMESTAMP%\r\n\\\\.\\pipe\\CMDPipeRead\r\n\\\\.\\pipe\\CMDPipeWrite\r\nRegistry\r\nHKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Print Processors\\PrintFiiterPipelineSvc\\Driver\r\n= “DEment.dll”\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\\lltdsvc1\\Driver =\r\n“EntAppsvc.dll”\r\nHKLM\\SOFTWARE\\Microsoft\\Print\\Components\\DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8\r\nHKLM\\SOFTWARE\\Microsoft\\Print\\Components\\A66F35-4164-45FF-9CB4-69ACAA10E52D\r\nSamples\r\nFirst stage\r\n4B90E2E2D1DEA7889DC15059E11E11353FA621A6\r\nC7A9DCD4F9B2F26F50E8DD7F96352AEC7C4123FE\r\n3508EB2857E279E0165DE5AD7BBF811422959158\r\n729D526E75462AA8D33A1493B5A77CB28DD654BC\r\n5663AF9295F171FDD41A6D819094A5196920AA4B\r\nPipeMon\r\n23789B2C9F831E385B22942DBC22F085D62B48C7\r\n53C5AE2655808365F1030E1E06982A7A6141E47F\r\nE422CC1D7B2958A59F44EE6D1B4E10B524893E9D\r\n5BB96743FEB1C3375A6E2660B8397C68BEF4AAC2\r\n78F4ACD69DC8F9477CAB9C732C91A92374ADCACD\r\nB56D8F826FA8E073E6AD1B99B433EAF7501F129E\r\n534CD47EB38FEE7093D24BAC66C2CF8DF24C7D03\r\nPipeMon encrypted binaries\r\n168101B9B3B512583B3CE6531CFCE6E5FB581409\r\nC887B35EA883F8622F7C48EC9D0427AFE833BF46\r\n44D0A2A43ECC8619DE8DB99C1465DB4E3C8FF995\r\nE17972F1A3C667EEBB155A228278AA3B5F89F560\r\nC03BE8BB8D03BE24A6C5CF2ED14EDFCEFA8E8429\r\n2B0481C61F367A99987B7EC0ADE4B6995425151C\r\nAdditional tools\r\nWinEggDrop\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 13 of 15\n\nAF9C220D177B0B54A790C6CC135824E7C829B681\r\nMimikatz\r\n4A240EDEF042AE3CE47E8E42C2395DB43190909D\r\nNetcat\r\n751A9CBFFEC28B22105CDCAF073A371DE255F176\r\nHTran\r\n48230228B69D764F71A7BF8C08C85436B503109E\r\nAceHash\r\nD24BBB898A4A301870CAB85F836090B0FC968163\r\nCode-signing certificate SHA-1 thumbprints\r\n745EAC99E03232763F98FB6099F575DFC7BDFAA3\r\n2830DE648BF0A521320036B96CE0D82BEF05994C\r\nC\u0026C domains\r\nn8.ahnlabinc[.]com\r\nowa.ahnlabinc[.]com\r\nssl2.ahnlabinc[.]com\r\nwww2.dyn.tracker[.]com\r\nssl2.dyn-tracker[.]com\r\nclient.gnisoft[.]com\r\nnmn.nhndesk[.]com\r\nssl.lcrest[.]com\r\nC\u0026C IP addresses\r\n154.223.215[.]116\r\n203.86.239[.]113\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nPersistence T1013 Port Monitor\r\nPipeMon uses a persistence\r\ntechnique similar to Port Monitor\r\nbased on Print Processors.\r\nPrivilege\r\nEscalation T1134 Access Token Manipulation\r\nThe PipeMon installer tries to gain\r\nadministrative privileges using\r\ntoken impersonation.\r\nT1088 Bypass User Account Control\r\nThe PipeMon installer uses UAC\r\nbypass techniques to install the\r\npayload.\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 14 of 15\n\nTactic ID Name Description\r\nT1502 Parent PID Spoofing\r\nThe PipeMon installer uses parent\r\nPID spoofing to elevate privileges.\r\nDefense\r\nEvasion\r\nT1116 Code Signing\r\nPipeMon, its installer and additional\r\ntools are signed with stolen code-signing certificates.\r\nT1027 Obfuscate Files or Information\r\nPipeMon modules are stored\r\nencrypted on disk.\r\nT1112 Modify Registry\r\nThe PipeMon installer modifies the\r\nregistry to install PipeMon as a Print\r\nProcessor.\r\nT1055 Process Injection\r\nPipeMon injects its modules into\r\nvarious processes using reflective\r\nloading.\r\nDiscovery\r\nT1057 Process Discovery\r\nPipeMon iterates over the running\r\nprocesses to find a suitable injection\r\ntarget.\r\nT1063 Security Software discovery\r\nPipeMon checks for the presence of\r\nESET and Kaspersky software.\r\nCollection T1113 Screen Capture\r\nOne of the PipeMon modules is\r\nlikely a screenshotter.\r\nCommand\r\nand Control\r\nT1043 Commonly Used Ports\r\nPipeMon communicates through\r\nport 443.\r\nT1095\r\nCustom Command\r\nand Control Protocol\r\nPipeMon communication module\r\nuses a custom protocol based on\r\nTLS over TCP.\r\nT1032\r\nStandard\r\nCryptographic\r\nProtocol\r\nPipeMon communication is RC4\r\nencrypted.\r\nT1008 Fallback Channels\r\nThe updated PipeMon version uses\r\na fallback channel once a particular\r\ndate is reached.\r\nSource: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" ], "report_names": [ "no-game-over-winnti-group" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434952, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b7b6535cee4727e614a9216490109cae65482984.pdf", "text": "https://archive.orkl.eu/b7b6535cee4727e614a9216490109cae65482984.txt", "img": "https://archive.orkl.eu/b7b6535cee4727e614a9216490109cae65482984.jpg" } }