{
	"id": "6fad380e-106a-49fb-bf2e-273c2325151b",
	"created_at": "2026-04-06T00:13:38.752211Z",
	"updated_at": "2026-04-10T03:32:20.959216Z",
	"deleted_at": null,
	"sha1_hash": "f8cde83b5843b44bfef6721c5af0bc3ed9ebab70",
	"title": "Winnti Abuses GitHub for C\u0026C Communications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78201,
	"plain_text": "Winnti Abuses GitHub for C\u0026C Communications\r\nBy By: Trend Micro Mar 22, 2017 Read time: 5 min (1226 words)\r\nPublished: 2017-03-22 · Archived: 2026-04-05 12:45:41 UTC\r\nWith additional analysis from Cyber Safety Solutions Team\r\nDevelopers constantly need to modify and rework their source codes when releasing new versions of applications\r\nor coding projects they create and maintain. This is what makes GitHub—an online repository hosting service that\r\nprovides version control management—popular. In many ways, it’s like a social networking site for programmers\r\nand developers, one that provides a valuable platform for code management, sharing, collaboration, and\r\nintegration.\r\nGitHub is no stranger to misuse, however. Open-source ransomware projects EDA2 and Hidden Tear—supposedly\r\ncreated for educational purposes—were hosted on GitHub, and have since spawned various offshoots that have\r\nbeen found targeting enterprises. Tools that exploited vulnerabilities in Internet of Things (IoT) devicesopen on a\r\nnew tab were also made available on GitHub. Even the Limitless Keyloggeropen on a new tab, which was used in\r\ntargeted attacks, was linked to a GitHub project.\r\nRecently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud,\r\nhas been seen abusing GitHub by turning it into a conduit for the command and control (C\u0026C) communications of\r\ntheir seemingly new backdoor (detected by Trend Micro as BKDR64_WINNTI.ONM).\r\nOur research also showed that the group still uses some of the infamous PlugX malware variants—a staple in\r\nWinnti’s arsenal—to handle targeted attack operations via the GitHub account we identified.\r\nMalware Analysis\r\nThe malware we analyzed is separated in two files: a loader, and the payload.\r\nThe loader, named loadperf.dll, is a modified version of its legitimate, similarly named counterpart—a Microsoft\r\nfile which helps manipulate the performance registry. An extra component has been added to its sections. It copies\r\nitself on %WINDIR%\\system32\\wbem\\ and replaces the original DLL. It leverages the WMI performance adapter\r\nservice (wmiAPSrv), a legitimate file in Windows that collects information related to system performance, to\r\nimport the loader via services.exe. The system also imports all related DLL files and includes the payload\r\n“loadoerf.ini”. The infection chain includes an additional (albeit empty) function imported from loadoerf.ini,\r\ngzwrite64, which works as a fake Application Program Interface (API) that serves as the payload’s entry point.\r\nAlthough gzwrite64 is imported by loadperf.dll, the payload’s main function is actually located in the DLLMain of\r\n“loadoerf.ini”.\r\nintelFigure 1: Extra section .idata added to the original loadperf.dll\r\nintel\r\nFigure 2: Extra imported function gzwrite64\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/\r\nPage 1 of 4\n\nThe payload is a file named loadoerf.ini that contains decryption, run, and code injection functions. When it is\r\nloaded by the system, DLLMain decrypts the payload via CryptUnprotectData. Since the function highly depends\r\non the actual “machine ID”, decryption on another machine that isn’t the original infected host is not viable,\r\nmaking malware analysis more difficult.\r\nintelFigure 3: Part of the decryption function used in the payload\r\nAfter decryption, partial code is run on the machine, which is then injected to svchost.exe (a key Windows\r\ncomponent); payload is then loaded into memory.\r\nintelFigure 4: Execution/infection flow of loadoerf.ini\r\nHow is GitHub abused? Upon successful infection, the malware starts communicating with an HTML page from a\r\nrepository stored in a GitHub project.\r\nintelFigure 5: GitHub account hosting an HTML page used for C\u0026C communication\r\nAny malware threat analyst will immediately recognize Line 3 in the image above as a potential PlugX-encrypted\r\nline. The beginning and end markers, DZKS and DZJS, are typicalopen on a new tab in PlugX. A closer look,\r\nhowever, shows that the decryption algorithm is different from PlugX. In this case, decrypting them reveals\r\nreferences to its actual command and control (C\u0026C) server: an IP address and a port number the malware will\r\nconnect to.\r\nWinnti currently uses different encryption algorithms to store those C\u0026C references in the files they stored on\r\nGithub. Among them is an algorithm utilized by PlugX. In fact, we found references to PlugX in the C\u0026C strings\r\nwe analyzed, indicating that the group may also be using the same backdoor in this particular campaign. Although\r\nwe were unable to find a PlugX sample through that particular GitHub, we surmise some PlugX variants in the\r\nwild use this GitHub repository to get their C\u0026C information.\r\nNearly all the other algorithms used in this GitHub campaign are derived from the original PlugX algorithm:\r\nPlugX style + shift string + Base64\r\nPlugX style + shift string + Base64 + XOR\r\nPlugX style + Base64 + XOR\r\nOne algorithm is also built in mark strings + shift string + Base64 encoding.\r\nFollowing Winnti's Trails\r\nThe GitHub account used by the threat actor was created in May 2016. It created one legitimate project/repository\r\n(mobile-phone-project) in June 2016, derived from another generic GitHub page.\r\nThe repository for Winnti’s C\u0026C communications was created on August 2016. We surmise that the GitHub\r\naccount was not compromised, and instead created by Winnti. By March 2017, the repository already contained 14\r\ndifferent HTML pages created at various times.\r\nTimeline of the Campaign\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/\r\nPage 2 of 4\n\nWe mapped Winnti’s activities for this campaign by analyzing the dates exposed in GitHub. For each file, GitHub\r\nstores first-and-last commit timestamps; these enabled us to create a timeline of the first use of the group’s many\r\nC\u0026C servers.\r\nWe monitored the period during which IP addresses were found connecting to Winnti’s C\u0026C servers and found\r\nthat they started their operations in the afternoon up to late evening. The timetable resembles traditional working\r\nhours for cybercriminals, compared to those with less structure who prefer starting their days late, but also\r\nworking until very late hours. In fact, we only observed one instance of activity during the weekend, where a new\r\nHTML file was created.\r\nThe earliest activity we tracked on the GitHub account was from August 17, 2016, with the most recent in March\r\n12, 2017.\r\nHere is a timeline of when the C\u0026C server’s IP addresses were first used, based on our monitoring:\r\nintelFigure 6: Timeline of the C\u0026C server’s IP addresses\r\nC\u0026C Servers\r\nThe GitHub account used by Winnti shows 12 different IP addresses, with various port numbers used for them. All\r\ncommunication to these C\u0026C servers are done on three different port numbers: 53 (DNS), 80 (HTTP), and 443\r\n(HTTPS). These are typical techniques PlugX and Winnti malware variants use to communicate between\r\ncompromised machines and their C\u0026C servers. Nearly all the C\u0026C servers are hosted in the U.S., while two are\r\nlocated in Japan.\r\nC\u0026C Server's IP Address Port Number\r\n160[.]16[.]243[.]129 443 (HTTPS)\r\n160[.]16[.]243[.]129 53 (DNS)\r\n160[.]16[.]243[.]129 80 (HTTP)\r\n174[.]139[.]203[.]18 443 (HTTPS)\r\n174[.]139[.]203[.]18 53 (DNS)\r\n174[.]139[.]203[.]20 53 (DNS)\r\n174[.]139[.]203[.]22 443 (HTTPS)\r\n174[.]139[.]203[.]22 53 (DNS)\r\n174[.]139[.]203[.]27 53 (DNS)\r\n174[.]139[.]203[.]34 53 (DNS)\r\n174[.]139[.]62[.]58 80 (HTTP)\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/\r\nPage 3 of 4\n\n174[.]139[.]62[.]60 443 (HTTPS)\r\n174[.]139[.]62[.]60 53 (DNS)\r\n174[.]139[.]62[.]60 80 (HTTP)\r\n174[.]139[.]62[.]61 443 (HTTPS)\r\n61[.]195[.]98[.]245 443 (HTTPS)\r\n61[.]195[.]98[.]245 53 (DNS)\r\n61[.]195[.]98[.]245 80 (HTTP)\r\n67[.]198[.]161[.]250 443 (HTTPS)\r\n67[.]198[.]161[.]250 53 (DNS)\r\n67[.]198[.]161[.]251 443 (HTTPS)\r\n67[.]198[.]161[.]252 443 (HTTPS)\r\nFigure 6: IP addresses used for C\u0026C communication, and the port numbers they use\r\nWe have privately disclosed our findings to GitHub prior to this publication and are proactively working with\r\nthem about this threat.\r\nConclusion\r\nAbusing popular platforms like GitHub enables threat actors like Winnti to maintain network persistence between\r\ncompromised computers and their servers, while staying under the radar. Although Winnti may still be employing\r\ntraditional malware, its use of a relatively unique tactic to stay ahead of the threat landscape’s curve reflects the\r\nincreased sophistication that threat actors are projected to employpredictions.\r\nRelated Hashes (SHA256) detected as BKDR64_WINNTI.ONM:\r\n06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba — cryptbase.dll\r\n1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d – loadperf.dll\r\n7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b – loadoerf.ini\r\n9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb — wbemcomn.ini\r\nb1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2 — cryptbase.ini\r\ne5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089 — wbemcomn.dll\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MISPGALAXY"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/"
	],
	"report_names": [
		"winnti-abuses-github"
	],
	"threat_actors": [
		{
			"id": "5bbced13-72f7-40dc-8c41-dcce75bf885e",
			"created_at": "2022-10-25T15:50:23.695735Z",
			"updated_at": "2026-04-10T02:00:05.335976Z",
			"deleted_at": null,
			"main_name": "Winnti Group",
			"aliases": [
				"Winnti Group"
			],
			"source_name": "MITRE:Winnti Group",
			"tools": [
				"PipeMon",
				"Winnti for Windows",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "945a572f-ebe3-4e2f-a288-512fe751cfa8",
			"created_at": "2022-10-25T16:07:24.413971Z",
			"updated_at": "2026-04-10T02:00:04.97924Z",
			"deleted_at": null,
			"main_name": "Winnti Group",
			"aliases": [
				"G0044",
				"Leopard Typhoon",
				"Wicked Panda",
				"Winnti Group"
			],
			"source_name": "ETDA:Winnti Group",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"FunnySwitch",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434418,
	"ts_updated_at": 1775791940,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8cde83b5843b44bfef6721c5af0bc3ed9ebab70.pdf",
		"text": "https://archive.orkl.eu/f8cde83b5843b44bfef6721c5af0bc3ed9ebab70.txt",
		"img": "https://archive.orkl.eu/f8cde83b5843b44bfef6721c5af0bc3ed9ebab70.jpg"
	}
}