{
	"id": "9c7871bd-6b2f-48f0-ba6e-64b4f6df44c1",
	"created_at": "2026-04-29T08:22:20.349294Z",
	"updated_at": "2026-04-29T10:41:19.516464Z",
	"deleted_at": null,
	"sha1_hash": "b92945bebb3bf87939b0993b388f1eefa61a19f2",
	"title": "GitHub - TKCERT/winnti-suricata-lua: Suricata rules to detect Winnti communication",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80153,
	"plain_text": "GitHub - TKCERT/winnti-suricata-lua: Suricata rules to detect\r\nWinnti communication\r\nBy sterue\r\nArchived: 2026-04-29 07:43:37 UTC\r\nSkip to content\r\nNavigation Menu\r\nAI CODE CREATION\r\nGitHub CopilotWrite better code with AI\r\nGitHub SparkBuild and deploy intelligent apps\r\nGitHub ModelsManage and compare prompts\r\nMCP RegistryNewIntegrate external tools\r\nView all features\r\nPricing\r\nSign up\r\nNotifications\r\nFork 8\r\nStar 16\r\nFolders and files\r\nhttps://github.com/TKCERT/winnti-suricata-lua\r\nPage 1 of 3\n\nName Name Last commit message Last commit date\r\nLatest commit\r\nsterue\r\nInitial commit\r\nMar 5, 2018\r\n0e20112 · Mar 5, 2018\r\nHistory\r\n2 Commits\r\nLICENSE LICENSE Initial commit Mar 5, 2018\r\nREADME.md README.md Initial commit Mar 5, 2018\r\nwinnti.lua winnti.lua Initial commit Mar 5, 2018\r\nwinnti.rules winnti.rules Initial commit Mar 5, 2018\r\nREADME\r\nGPL-3.0 license\r\nSuricata rules to detect Winnti communication\r\nThis ruleset enables Suricata to detect the handshake of certain Winnti variants as seen in the wild in 2016/2017.\r\nWinnti\r\nWinnti is a malware that is used by some APT groups.\r\nIt has been used since at least 2013 and has evolved over time. You can find some information here\r\nhttps://github.com/TKCERT/winnti-suricata-lua\r\nPage 2 of 3\n\nhttps://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf\r\nhttps://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf\r\nhttps://hitcon.org/2016/pacific/0composition/pdf/1201/1201%20R2%201610%20winnti%20polymorphism.pdf\r\nHandshake\r\nThe driver component of Winnti (aka \"NdisReroute\") is able to reroute network traffic from ports that are already\r\noccupied by legit applications to the malware's userspace component.\r\nThe first packet of a TCP stream signals the driver that the stream shall be rerouted. I call such a packet a \"Winnti\r\nHELO\". It is exactly 16 bytes long and the bytes match the following relation:\r\nWinnti handshake Example:\r\n dw0 dw1 dw2 dw3\r\n5B 44 B4 91 xx xx xx xx 31 18 30 59 [84 C8] {6A 5C}\r\n5B 44 B4 91 == 31 18 30 59 ^ {6A 5C} [84 C8]\r\ndw0 calculated from dw2 and dw3\r\ndw1 random but not zero. Only seen timestamps in here but any value works.\r\ndw2 random but not zero\r\ndw3 random but not zero\r\nInstallation\r\nCopy the rules and lua files to your suricata rules directory\r\ncp winnti.lua /etc/suricata/rules/\r\ncp winnti.rules /etc/suricata/rules/\r\nactivate the rules by adding them to suricata.yaml\r\n[...]\r\nrule-files:\r\n - winnti.rules\r\n[...]\r\nSource: https://github.com/TKCERT/winnti-suricata-lua\r\nhttps://github.com/TKCERT/winnti-suricata-lua\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/TKCERT/winnti-suricata-lua"
	],
	"report_names": [
		"winnti-suricata-lua"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-29T10:39:53.237815Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"G0044",
				"HOODOO",
				"BARIUM",
				"WICKED SPIDER",
				"Winnti",
				"BRONZE ATLAS",
				"BRONZE EXPORT",
				"Red Kelpie",
				"Earth Baku",
				"Brass Typhoon",
				"Double Dragon",
				"TG-2633",
				"Leopard Typhoon",
				"TA415",
				"Grayfly",
				"WICKED PANDA",
				"G0096"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-29T10:39:54.797708Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1777450940,
	"ts_updated_at": 1777459279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b92945bebb3bf87939b0993b388f1eefa61a19f2.pdf",
		"text": "https://archive.orkl.eu/b92945bebb3bf87939b0993b388f1eefa61a19f2.txt",
		"img": "https://archive.orkl.eu/b92945bebb3bf87939b0993b388f1eefa61a19f2.jpg"
	}
}