{
	"id": "39f67005-fd3f-4fc2-9818-92168eb46397",
	"created_at": "2026-04-06T00:21:55.259292Z",
	"updated_at": "2026-04-10T03:32:20.846201Z",
	"deleted_at": null,
	"sha1_hash": "ce2b6977cb07fd6b4576b43b2639aa7fb877b40b",
	"title": "Monitoring Winnti 4.0 C2 Servers for Two Years",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34612,
	"plain_text": "Monitoring Winnti 4.0 C2 Servers for Two Years\r\nBy Takahiro Haruyama\r\nPublished: 2021-11-15 · Archived: 2026-04-05 13:49:00 UTC\r\nThe VMware Threat Analysis Unit (TAU) continually monitors the latest threats and attacks affecting our\r\ncustomers and businesses worldwide. For years, TAU has reversed and emulated the network Command and\r\nControl (C2) protocols of high-profile malware families, especially used for cyber espionage, in order to\r\ndiscover active C2 servers on the Internet. One family that TAU has tracked for years is Winnti 4.0 malware.\r\nTAU reported last year that nine C2 servers were found. \r\nWinnti is a prominent malware family used by the multiple Chinese threat actors like APT41 for many years. The\r\nmalware is a modularized Remote Access Trojan (RAT) supporting multiple C2 protocols. \r\nContinuing its research, TAU has discovered additional Winnti 4.0 C2 servers actively used over the last two\r\nyears. Contrary to our expectation, the threat actor didn’t stop using the malware after our blog post. Instead,\r\nthey have continued to deploy new servers using the same methodology and infrastructure. While the presence of\r\nthis threat actor has increased regularly, there has been minimal reporting on this threat. The number of the\r\nactive servers continues to rise and even old servers, disclosed earlier by TAU, are still active as of the time\r\nof this writing. In order to alert the cyber-security community to this threat, TAU decided to release the latest C2\r\nIOCs. \r\nThe IOCs are located at our corporate github page. There are 43 servers (34 unique IPs) in total. Please note that\r\nthe log entries each contain a first_seen and a last_seen date. TAU routinely scans these servers and notes\r\napproximately when they were first seen and when we last saw them as a server. As these are typically hosted\r\nservers, there are cases where the server may have been reappropriated to a legitimate use. It is advisable to verify\r\nany positive results in your environment to prevent false positives.  \r\nVMware Carbon Black EDR customers can utilize this intelligence by enabling the Known IOC Watchlist, under\r\nthe Active C2 report. \r\nSource: https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html\r\nhttps://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html"
	],
	"report_names": [
		"monitoring-winnti-4-0-c2-servers-for-two-years.html"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434915,
	"ts_updated_at": 1775791940,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ce2b6977cb07fd6b4576b43b2639aa7fb877b40b.pdf",
		"text": "https://archive.orkl.eu/ce2b6977cb07fd6b4576b43b2639aa7fb877b40b.txt",
		"img": "https://archive.orkl.eu/ce2b6977cb07fd6b4576b43b2639aa7fb877b40b.jpg"
	}
}