Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. [1] [2] [3]

Winnti Group groups the activity of a number of linked groups rather than a single discrete entity and some reporting suggests that it includes Axiom, APT17, and Ke3chang.[4]

One of the group's main objectives is stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.

Some reports suggest that Winnti Group is associated with the infamous ShadowPad backdoor that was inserted in one of the dll's of the NetSarang software in Software Supply Chain Compromise.

In February 2020, Winnti Group was found to target several video gaming companies that are based in South Korea and Taiwan and compromise their build systems to infect gaming binaries and deliver a backdoor to their users.

In June 2020, Winnti Group also shifted to target Red Hat Enterprise, CentOS, and Ubuntu Linux environments systemically across a wide array of industry verticals for the purposes of espionage and intellectual property theft.

Some reporting suggest that the group shifted from signing malware with certificates stolen from video game companies to signing malware with certificates stolen from adware vendors, resulting in very low detection rates.

Associated Group Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

Winnti Group used stolen certificates to sign its malware.[1]

Enterprise VT0004 .002 Supply Chain Compromise: Compromise Software Supply Chain

Winnti Group targets the development pipeline of gaming and adware software companies to backdoor the software and compromise the Supply Chain



Associated Groups

Created: 06 May 2021

Last Modified: 06 May 2021