Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.   
One of the group's main objectives is stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.
In February 2020, Winnti Group was found to target several video gaming companies that are based in South Korea and Taiwan and compromise their build systems to infect gaming binaries and deliver a backdoor to their users.
In June 2020, Winnti Group also shifted to target Red Hat Enterprise, CentOS, and Ubuntu Linux environments systemically across a wide array of industry verticals for the purposes of espionage and intellectual property theft.
Some reporting suggest that the group shifted from signing malware with certificates stolen from video game companies to signing malware with certificates stolen from adware vendors, resulting in very low detection rates.
Associated Group Descriptions
|Enterprise||VT0016||.002||Subvert Trust Controls: Code Signing||
Winnti Group used stolen certificates to sign its malware.
|Enterprise||VT0004||.002||Supply Chain Compromise: Compromise Software Supply Chain||
Winnti Group targets the development pipeline of gaming and adware software companies to backdoor the software and compromise the Supply Chain
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
Created: 06 May 2021
Last Modified: 06 May 2021