{ "id": "ec1c9eef-af53-4c02-930c-b55427f60e17", "created_at": "2026-04-06T00:17:51.615741Z", "updated_at": "2026-04-10T03:32:20.536836Z", "deleted_at": null, "sha1_hash": "c1bbb0e0fcba0dae95e3c1ef62e37c5c25299725", "title": "Examining a Possible Member of the Winnti Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72027, "plain_text": "Examining a Possible Member of the Winnti Group\r\nBy By: Trend Micro Apr 19, 2017 Read time: 5 min (1436 words)\r\nPublished: 2017-04-19 · Archived: 2026-04-02 12:04:21 UTC\r\nUpdated on April 26, 2017, 01:39 PM (UTC-7) to add the accurate IP address.\r\nIn one of our previous blog entries, we covered how the threat actor known as Winnti was using GitHub to spread\r\nmalware – a development that shows how the group is starting to evolve and use new attack methods beyond their\r\nprevious tactics involving targeted attacks against gaming, pharmaceutical, and telecommunications companies.\r\nThrough this entry, in which we take a closer look at an individual who we believe might be connected to the\r\nWinnti group, we hope to give both ordinary users and organizations better insights into some of the tools –\r\nnotably the server infrastructures- these kinds of threat actors use, as well as the scale in which they operate.\r\nSearching Domain Registrations for Clues\r\nThreat actors typically register and use several domains in order to discretely lead their malware to their\r\nCommand and Control (C\u0026C) servers. Registering a domain name always requires some form of identifying\r\ninformation: a physical or mailing address, an email address, and a phone number. Of these, a valid email address\r\nholds the greatest importance because it is where the registrar sends the confirmation of a domain purchase to the\r\nnew owner in addition to the information needed to control the domain.\r\nMost fraudsters create one-time email addresses or use stolen email addresses, both of which are easy to create or\r\nobtain. However, over time, it becomes tedious for fraudsters to constantly change information when registering\r\nnew domains. This is the point where they are likely to make mistakes and start reusing e-mail addresses.\r\nA careful analysis of the domain registrations from this threat actor between 2014 and 2015 allowed us to identify\r\none profile used to register several domains that were used as C\u0026C servers for a particular malware family\r\nemployed by the Winnti group. In particular, we managed to gather details on an individual using the handle\r\nHack520, who we believe is connected to Winnti.\r\nWho is the Winnti group?\r\nThe group behind the Winnti malware (which we will call the Winnti group for brevity) sprung up as a band of\r\ntraditional cyber crooks, comprising black hats whose technical skills were employed to perpetrate financial fraud.\r\nBased on the use of domain names they registered, the group started out in the business of fake/rogue anti-virus\r\nproductsopen on a new tab in 2007. In 2009, the Winnti group shifted to targeting gaming companies in South\r\nKorea using a self-named data- and file-stealing malware.\r\nThe group, which was primarily motivated by profit, is noted for utilizing self-developed technically-proficient\r\ntools for their attacks. They once attackedopen on a new tab a game server to illicitly farm in-game currency\r\n(“gaming gold”, which also has real-world value) and stole source codes of online game projects. The group also\r\nengaged in the theft of digital certificates which they then used to sign their malware to make them stealthier. The\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/\r\nPage 1 of 4\n\nWinnti group diversified its targets to include enterprises such as those in pharmaceuticsopen on a new tab and\r\ntelecommunications. The group has since earned infamy for being involved in malicious activities associated with\r\ntargeted attacksopen on a new tab, such as deploying spear-phishing campaignsnews article and building a\r\nbackdoor.\r\nDuring the course of researching the Winnti group, we came across previously unreported malware samples that\r\nwe attributed to the group based on the malware arsenal and the use of registered domains as attack infrastructure.\r\nThese samples led us to the discovery of additional C\u0026C servers that provided us with more information than we\r\ninitially expected.\r\nA closer look at Hack520\r\nOur initial investigation on the domains registered by Hack520 revealed that similar domains (listed below) were\r\nregistered by another profile.\r\nhack520[.]co[.]kr\r\nshaiya[.]kr\r\nzhu[.]kr\r\nshenqi[.]kr\r\nzhuxian[.]kr\r\nSeveral of these domains are linked to variants of malware that were used by the Winnti threat actor. Surprisingly\r\nenough, it does not take very long to get some information about Hack520: someone with this handle runs a blog\r\nand a Twitter account (with a handle close to Hack520) that is also directly linked to the blog.\r\nintel\r\nFigure 1: Twitter account of Hack520\r\nOne interesting detail about Hack520 is his apparent love for pigs, as seen in his use of the word in his email\r\naddresses. He also mentions his occupation as a “pig farmer” in online message boards. In addition, Hack520’s\r\ntweets always show photos of the same animal, which is likely his pet pig.\r\nThe Twitter handle used by Hack520 indicates also an “est” portion. This “est” reference could refer to a hacking\r\ngroup with its own message board on which hack520 also posts regularly.\r\nIn one particular forum post, Hack520 mentions that he was previously jailed for a period of 10 months in a blog\r\npost dated May 31, 2009.\r\nintel\r\nFigure 2: Post from Hack520’s blog\r\nA rough translation of this message is as follows:\r\n“Fxxk, when I am released, the server is offline, I can’t find the machine, the domain is expired, it is so\r\nbad. I wasted 10 months, I have failed and lost my money.”\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/\r\nPage 2 of 4\n\nHack520 seems to be very interested in hosting services and his profile fits that of a system administrator profile\r\nwith some programming and hacking skills.\r\nAfter further research, we were able to link Hack520 to different network administration activities, notably with a\r\nVirtual Private Server (VPS) hosting service. The way Hack520 signs his messages in one hacker forum provides\r\na clue pointing to this connection. While one of his signatures uses his own blog domain, there is also a second\r\nsignature which uses 93[.]gd, a domain that was found to have been actively selling VPS services in the past. The\r\nemail address admin@93[.]gd is linked to IP addresses owned by a certain user with the nickname “PIG GOD”—\r\nanother reference to Hack520’s passion for pigs.\r\nAmong the IP addresses owned by Hack520 is a whole/22 IP Range which we dubbed as the “PIG RANGE”. The\r\nIP range for “PIG GOD” is 43[.]255[.]188.0/22, which appears to be hosted in Hong Kong as seen in the\r\ninformation we found:\r\ninetnum: 43[.]255[.]188[.]0 - 43[.]255[.]191[.]255\r\nnetname: PIG-HK\r\ndescription: PIG GOD\r\ncountry: HK\r\nadmin-c: PG406-AP\r\ntech-c: PG406-AP\r\nperson: pig god\r\ncountry: HK\r\nphone: +852-39437000\r\ne-mail: admin@66[.]to\r\nnic-hdl: PG406-AP\r\nmnt-by: MAINT-RAIBOW-HK\r\nchanged: admin@66[.]to 20160917\r\nsource: APNIC\r\nThe domain 66[.]to leads to another website that shows Hack520’s pet pig. It also reveals direct links to\r\nsecure[.]66[.]to and zhu[.]vn, both of which also belong to Hack520 and contains his personal blog.\r\nintel\r\nFigure 3: Hack520’s pet pig\r\nWe were able to find additional links between Hack520’s “Pig network” and the Winnti group’s activities. This\r\nincludes hosting C\u0026C domains that were used by Winnti such as mtrue.com, shenqi[.]kr and zhu[.]kr. We also\r\nfound a live service selling VPS hosting at secure[.]66[.]to. The hosting services offered at secure[.]66[.]to are in\r\nfact hosting services rented to other companies worldwide. The contents found in secure[.]66[.]to often lead to\r\nzhu[.]vn, which is Hack520’s domain for hosting his own private blog.\r\nintel\r\nFigure 4: Screenshot of secure[.]66[.]to\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/\r\nPage 3 of 4\n\nWe found roughly 500 domain names that lead or have led to the “Pig network” between 2015 to March 2017.\r\nMost of these domains seem to have contained illegitimate content like pornography and online gambling. We\r\nhighly suspect the “Pig network” to have also been used as a bulletproof hosting service for cybercriminals who\r\nare unrelated to the Winnti group. From what we’ve seen in Hack520’s blog, as well as the infrastructure deployed\r\naround it, it is quite safe to say that Hack520 is involved in aspects of the VPS service activity provided to groups\r\nlike Winnti and other cybercriminals or threat actors.\r\nWhat we’ve learned\r\nThreat actors like the Winnti group rarely ever stay static in terms of both tools and tactics. As we’ve already\r\npreviously discussed in our 2017 predictionspredictions, these groups will constantly evolve and employ unique\r\nand advanced attack techniques. In addition, individuals like Hack520 prove that these threat actors are composed\r\nof varied individuals who have their own set of expertise. All of these things point to threat actors and groups like\r\nWinnti will continue to try different methods of attack.\r\nThreat actors are always looking to expand the strategies they use, thus security practices and solutions that work\r\nfor less organized cybercriminals might not work for determined groups who are willing to spend time, resources\r\nand manpower to accomplish their goals. As such, there is a need for everyone to be proactive when it comes to\r\nsecurity, especially for organizations who are frequently the victims of targeted attacks. By creating awareness and\r\nusing the right solutions, both individuals and organizations can take the steps needed to defend against the\r\nmalicious tactics used by threat actors like the Winnti group. \r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/" ], "report_names": [ "pigs-malware-examining-possible-member-winnti-group" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434671, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c1bbb0e0fcba0dae95e3c1ef62e37c5c25299725.pdf", "text": "https://archive.orkl.eu/c1bbb0e0fcba0dae95e3c1ef62e37c5c25299725.txt", "img": "https://archive.orkl.eu/c1bbb0e0fcba0dae95e3c1ef62e37c5c25299725.jpg" } }