#winnti — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #winnti, aggregated by home.social.
-
----------------
🎯 Threat Intelligence
===================Executive summary: A 2.7 MB x86_64 ELF sample (MD5: f1403192ad7a762c235d670e13b703c3) with near-maximum entropy was flagged as APT41-linked Winnti. Analysis shows a custom code virtualizer, three typosquat C2 domains resolving to 43.99.48.196 (Alibaba Cloud, Singapore), and a capability to harvest cloud instance metadata across major providers. The implant uses SMTP (port 25) as a covert command channel and refuses connections that do not present the expected implant handshake.
Technical details / IoCs:
• MD5: f1403192ad7a762c235d670e13b703c3
• C2 domains: ai.qianxing.co, ns1.a1iyun.top, ai.aliyuncs.help
• C2 IP: 43.99.48.196 (Alibaba Cloud, SG)
• Observed C2 ports: 25 (SMTP), 443, 8088 (server only responds to valid handshake)
• Notable infrastructure: a1iyun.top has a Let's Encrypt wildcard cert from Aug 2023Analysis:
The binary's high entropy and inline transformations indicate a custom code virtualizer or instruction-level obfuscation that defeats standard static analysis. Intezer and other vendors link code reuse across six years of Winnti lineage (PWNLNX, RedXOR, AzazelFork, SprySOCKS, Melofee), indicating continued evolution rather than a one-off commodity trojan. The typosquatting strategy targets human triage processes: domains visually mimic Alibaba-related hostnames (a1iyun vs aliyun) and use ai. subdomains to exploit contemporary expectations of AI-related traffic.
The implant's use of the link-local cloud metadata endpoint (169.254.169.254) is operationally significant: it can retrieve temporary credentials, instance identity documents, managed identity tokens, and service account tokens from AWS, GCP, Azure, and Alibaba Cloud, enabling potential lateral movement and account takeover when permissions permit.
Detection considerations:
Observed artifacts suitable for detection include DNS queries for the listed typosquat domains, network connections to 43.99.48.196 that exhibit SMTP protocol exchanges without standard mail service responses, and processes attempting access to http://169.254.169.254 from unexpected workloads. The C2's refusal to respond to scans means detection should focus on endpoint telemetry and DNS/log analysis rather than relying on internet-wide scanning results.
Limitations & open questions:
Public analysis is constrained by heavy obfuscation; static indicators inside the binary are limited. The exact command encoding used over SMTP and the full set of post-exploitation modules were not fully disclosed in the source report.
🔹 APT41 #Winnti #cloud #malwareanalysis
-
Злоумышленники перенимают опыт коллег: что общего между SilverFox и APT41. Разбор атаки
Привет, Хабр! На связи Евгения Устинова, старший аналитик сетевой безопасности группы компаний «Гарда» . В статье хочу рассказать, как нам удалось связать инструментарий двух группировок через особенности реализации сетевых протоколов. Отследить эволюцию инструментов группировки SilverFox – например, ПО Winos – по отпечатку процедуры сетевой коммуникации оказалось довольно сложной задачей, поэтому я решила поделиться кейсом. Подключайтесь к расследованию
https://habr.com/ru/companies/garda/articles/962222/
#разбор_атаки #Winos #Silverfox #вредоносы #фишинг #ValleyRAT #apt41 #winnti
-
Злоумышленники перенимают опыт коллег: что общего между SilverFox и APT41. Разбор атаки
Привет, Хабр! На связи Евгения Устинова, старший аналитик сетевой безопасности группы компаний «Гарда» . В статье хочу рассказать, как нам удалось связать инструментарий двух группировок через особенности реализации сетевых протоколов. Отследить эволюцию инструментов группировки SilverFox – например, ПО Winos – по отпечатку процедуры сетевой коммуникации оказалось довольно сложной задачей, поэтому я решила поделиться кейсом. Подключайтесь к расследованию
https://habr.com/ru/companies/garda/articles/962222/
#разбор_атаки #Winos #Silverfox #вредоносы #фишинг #ValleyRAT #apt41 #winnti
-
Злоумышленники перенимают опыт коллег: что общего между SilverFox и APT41. Разбор атаки
Привет, Хабр! На связи Евгения Устинова, старший аналитик сетевой безопасности группы компаний «Гарда» . В статье хочу рассказать, как нам удалось связать инструментарий двух группировок через особенности реализации сетевых протоколов. Отследить эволюцию инструментов группировки SilverFox – например, ПО Winos – по отпечатку процедуры сетевой коммуникации оказалось довольно сложной задачей, поэтому я решила поделиться кейсом. Подключайтесь к расследованию
https://habr.com/ru/companies/garda/articles/962222/
#разбор_атаки #Winos #Silverfox #вредоносы #фишинг #ValleyRAT #apt41 #winnti
-
Злоумышленники перенимают опыт коллег: что общего между SilverFox и APT41. Разбор атаки
Привет, Хабр! На связи Евгения Устинова, старший аналитик сетевой безопасности группы компаний «Гарда» . В статье хочу рассказать, как нам удалось связать инструментарий двух группировок через особенности реализации сетевых протоколов. Отследить эволюцию инструментов группировки SilverFox – например, ПО Winos – по отпечатку процедуры сетевой коммуникации оказалось довольно сложной задачей, поэтому я решила поделиться кейсом. Подключайтесь к расследованию
https://habr.com/ru/companies/garda/articles/962222/
#разбор_атаки #Winos #Silverfox #вредоносы #фишинг #ValleyRAT #apt41 #winnti
-
Chinese APT Phantom Taurus Targeted MS Exchange Servers Over 3 Years https://hackread.com/chinese-apt-phantom-taurus-ms-exchange-servers/ #Cybersecurity #PhantomTaurus #CyberAttacks #IIServerCore #MustangPanda #Afghanistan #CyberAttack #Security #backdoor #Pakistan #Malware #NETSTAR #Winnti #China
-
Chinese APT Phantom Taurus Targeted MS Exchange Servers Over 3 Years https://hackread.com/chinese-apt-phantom-taurus-ms-exchange-servers/ #Cybersecurity #PhantomTaurus #CyberAttacks #IIServerCore #MustangPanda #Afghanistan #CyberAttack #Security #backdoor #Pakistan #Malware #NETSTAR #Winnti #China
-
Chinese APT Phantom Taurus Targeted MS Exchange Servers Over 3 Years https://hackread.com/chinese-apt-phantom-taurus-ms-exchange-servers/ #Cybersecurity #PhantomTaurus #CyberAttacks #IIServerCore #MustangPanda #Afghanistan #CyberAttack #Security #backdoor #Pakistan #Malware #NETSTAR #Winnti #China
-
Chinese APT Phantom Taurus Targeted MS Exchange Servers Over 3 Years https://hackread.com/chinese-apt-phantom-taurus-ms-exchange-servers/ #Cybersecurity #PhantomTaurus #CyberAttacks #IIServerCore #MustangPanda #Afghanistan #CyberAttack #Security #backdoor #Pakistan #Malware #NETSTAR #Winnti #China
-
Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker https://www.securityweek.com/details-emerge-on-chinese-hacking-operation-impersonating-us-lawmaker/ #cyberespionage #Nation-State #BrassTyphoon #espionage #ChinaAPT #Winnti #APT41 #China
-
Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker https://www.securityweek.com/details-emerge-on-chinese-hacking-operation-impersonating-us-lawmaker/ #cyberespionage #Nation-State #BrassTyphoon #espionage #ChinaAPT #Winnti #APT41 #China
-
Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker https://www.securityweek.com/details-emerge-on-chinese-hacking-operation-impersonating-us-lawmaker/ #cyberespionage #Nation-State #BrassTyphoon #espionage #ChinaAPT #Winnti #APT41 #China
-
Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker https://www.securityweek.com/details-emerge-on-chinese-hacking-operation-impersonating-us-lawmaker/ #cyberespionage #Nation-State #BrassTyphoon #espionage #ChinaAPT #Winnti #APT41 #China
-
Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker https://www.securityweek.com/details-emerge-on-chinese-hacking-operation-impersonating-us-lawmaker/ #cyberespionage #Nation-State #BrassTyphoon #espionage #ChinaAPT #Winnti #APT41 #China
-
Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker https://www.securityweek.com/details-emerge-on-chinese-hacking-operation-impersonating-us-lawmaker/ #cyberespionage #Nation-State #BrassTyphoon #espionage #ChinaAPT #Winnti #APT41 #China
-
Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker https://www.securityweek.com/details-emerge-on-chinese-hacking-operation-impersonating-us-lawmaker/ #cyberespionage #Nation-State #BrassTyphoon #espionage #ChinaAPT #Winnti #APT41 #China
-
Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker https://www.securityweek.com/details-emerge-on-chinese-hacking-operation-impersonating-us-lawmaker/ #cyberespionage #Nation-State #BrassTyphoon #espionage #ChinaAPT #Winnti #APT41 #China
-
The group FishMonger has been conducting cyber espionage against governments, NGOs, and think tanks across Asia, Europe, and the United States.
🔗 For more about their operation 'FishMedley' read: https://www.technadu.com/global-espionage-operation-by-i-soons-fishmonger-apt-group-unveiled/581362/
-
The group FishMonger has been conducting cyber espionage against governments, NGOs, and think tanks across Asia, Europe, and the United States.
🔗 For more about their operation 'FishMedley' read: https://www.technadu.com/global-espionage-operation-by-i-soons-fishmonger-apt-group-unveiled/581362/
-
Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign – Source:thehackernews.com https://ciso2ciso.com/winnti-apt41-targets-japanese-firms-in-revivalstone-cyber-espionage-campaign-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #Winnti
-
Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign – Source:thehackernews.com https://ciso2ciso.com/winnti-apt41-targets-japanese-firms-in-revivalstone-cyber-espionage-campaign-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #Winnti
-
Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign – Source:thehackernews.com https://ciso2ciso.com/winnti-apt41-targets-japanese-firms-in-revivalstone-cyber-espionage-campaign-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #Winnti
-
Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign – Source:thehackernews.com https://ciso2ciso.com/winnti-apt41-targets-japanese-firms-in-revivalstone-cyber-espionage-campaign-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #Winnti
-
Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns https://www.securityweek.com/chinese-hacking-group-apt41-infiltrates-global-shipping-and-tech-sectors-mandiant-warns/ #Malware&Threats #Cyberwarfare #NationState #ChinaAPT #Mandiant #Winnti #APT41
-
Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns https://www.securityweek.com/chinese-hacking-group-apt41-infiltrates-global-shipping-and-tech-sectors-mandiant-warns/ #Malware&Threats #Cyberwarfare #NationState #ChinaAPT #Mandiant #Winnti #APT41
-
Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns https://www.securityweek.com/chinese-hacking-group-apt41-infiltrates-global-shipping-and-tech-sectors-mandiant-warns/ #Malware&Threats #Cyberwarfare #NationState #ChinaAPT #Mandiant #Winnti #APT41
-
Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns https://www.securityweek.com/chinese-hacking-group-apt41-infiltrates-global-shipping-and-tech-sectors-mandiant-warns/ #Malware&Threats #Cyberwarfare #NationState #ChinaAPT #Mandiant #Winnti #APT41
-
Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns https://www.securityweek.com/chinese-hacking-group-apt41-infiltrates-global-shipping-and-tech-sectors-mandiant-warns/ #Malware&Threats #Cyberwarfare #NationState #ChinaAPT #Mandiant #Winnti #APT41
-
Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns https://www.securityweek.com/chinese-hacking-group-apt41-infiltrates-global-shipping-and-tech-sectors-mandiant-warns/ #Malware&Threats #Cyberwarfare #NationState #ChinaAPT #Mandiant #Winnti #APT41
-
Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns https://www.securityweek.com/chinese-hacking-group-apt41-infiltrates-global-shipping-and-tech-sectors-mandiant-warns/ #Malware&Threats #Cyberwarfare #NationState #ChinaAPT #Mandiant #Winnti #APT41
-
Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns https://www.securityweek.com/chinese-hacking-group-apt41-infiltrates-global-shipping-and-tech-sectors-mandiant-warns/ #Malware&Threats #Cyberwarfare #NationState #ChinaAPT #Mandiant #Winnti #APT41
-
Trend Micro reported on the attack chain of a cyberespionage group Earth Freybug, which they claim is a subset of the Chinese state-sponsored APT41 (Winnti Group). No information about the targets or timeline, but they describe a new UNAPIMON malware used for defense evasion ( prevent child processes from being monitored). One SHA256 provided, which isn't recognized in VirusTotal. 🔗 https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
#China #cyberespionage #EarthFreybug #APT41 #Winnti #UNAPIMON #threatintel #IOC
-
Trend Micro reported on the attack chain of a cyberespionage group Earth Freybug, which they claim is a subset of the Chinese state-sponsored APT41 (Winnti Group). No information about the targets or timeline, but they describe a new UNAPIMON malware used for defense evasion ( prevent child processes from being monitored). One SHA256 provided, which isn't recognized in VirusTotal. 🔗 https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
#China #cyberespionage #EarthFreybug #APT41 #Winnti #UNAPIMON #threatintel #IOC
-
Trend Micro reported on the attack chain of a cyberespionage group Earth Freybug, which they claim is a subset of the Chinese state-sponsored APT41 (Winnti Group). No information about the targets or timeline, but they describe a new UNAPIMON malware used for defense evasion ( prevent child processes from being monitored). One SHA256 provided, which isn't recognized in VirusTotal. 🔗 https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
#China #cyberespionage #EarthFreybug #APT41 #Winnti #UNAPIMON #threatintel #IOC
-
Trend Micro reported on the attack chain of a cyberespionage group Earth Freybug, which they claim is a subset of the Chinese state-sponsored APT41 (Winnti Group). No information about the targets or timeline, but they describe a new UNAPIMON malware used for defense evasion ( prevent child processes from being monitored). One SHA256 provided, which isn't recognized in VirusTotal. 🔗 https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
#China #cyberespionage #EarthFreybug #APT41 #Winnti #UNAPIMON #threatintel #IOC
-
Trend Micro reported on the attack chain of a cyberespionage group Earth Freybug, which they claim is a subset of the Chinese state-sponsored APT41 (Winnti Group). No information about the targets or timeline, but they describe a new UNAPIMON malware used for defense evasion ( prevent child processes from being monitored). One SHA256 provided, which isn't recognized in VirusTotal. 🔗 https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
#China #cyberespionage #EarthFreybug #APT41 #Winnti #UNAPIMON #threatintel #IOC
-
Recorded Future publishes a 24 page report on i-SOON and their connections to offensive cyberespionage operations attributed to RedHotel, RedAlpha and POISON CARP. The links indicate that they are likely sub-teams focused on specific missions within the same company. i-SOON's victims span 22 countries, with government, telco and education being the most targeted sectors. i-SOON also supports domestic including the targeting of ethnic and religious minorities and the online gambling industry. i-SOON very likely uses and sells access to custom malware families like Winnti and ShadowPad. IOC provided. 🔗 https://www.recordedfuture.com/attributing-i-soon-private-contractor-linked-chinese-state-sponsored-groups
#ISOON #cyberespionage #China #APT #threatintel #IOC #redhotel #redalpha #poisoncarp #winnti #shadowpad
-
Recorded Future publishes a 24 page report on i-SOON and their connections to offensive cyberespionage operations attributed to RedHotel, RedAlpha and POISON CARP. The links indicate that they are likely sub-teams focused on specific missions within the same company. i-SOON's victims span 22 countries, with government, telco and education being the most targeted sectors. i-SOON also supports domestic including the targeting of ethnic and religious minorities and the online gambling industry. i-SOON very likely uses and sells access to custom malware families like Winnti and ShadowPad. IOC provided. 🔗 https://www.recordedfuture.com/attributing-i-soon-private-contractor-linked-chinese-state-sponsored-groups
#ISOON #cyberespionage #China #APT #threatintel #IOC #redhotel #redalpha #poisoncarp #winnti #shadowpad
-
Recorded Future publishes a 24 page report on i-SOON and their connections to offensive cyberespionage operations attributed to RedHotel, RedAlpha and POISON CARP. The links indicate that they are likely sub-teams focused on specific missions within the same company. i-SOON's victims span 22 countries, with government, telco and education being the most targeted sectors. i-SOON also supports domestic including the targeting of ethnic and religious minorities and the online gambling industry. i-SOON very likely uses and sells access to custom malware families like Winnti and ShadowPad. IOC provided. 🔗 https://www.recordedfuture.com/attributing-i-soon-private-contractor-linked-chinese-state-sponsored-groups
#ISOON #cyberespionage #China #APT #threatintel #IOC #redhotel #redalpha #poisoncarp #winnti #shadowpad
-
Recorded Future publishes a 24 page report on i-SOON and their connections to offensive cyberespionage operations attributed to RedHotel, RedAlpha and POISON CARP. The links indicate that they are likely sub-teams focused on specific missions within the same company. i-SOON's victims span 22 countries, with government, telco and education being the most targeted sectors. i-SOON also supports domestic including the targeting of ethnic and religious minorities and the online gambling industry. i-SOON very likely uses and sells access to custom malware families like Winnti and ShadowPad. IOC provided. 🔗 https://www.recordedfuture.com/attributing-i-soon-private-contractor-linked-chinese-state-sponsored-groups
#ISOON #cyberespionage #China #APT #threatintel #IOC #redhotel #redalpha #poisoncarp #winnti #shadowpad
-
Recorded Future publishes a 24 page report on i-SOON and their connections to offensive cyberespionage operations attributed to RedHotel, RedAlpha and POISON CARP. The links indicate that they are likely sub-teams focused on specific missions within the same company. i-SOON's victims span 22 countries, with government, telco and education being the most targeted sectors. i-SOON also supports domestic including the targeting of ethnic and religious minorities and the online gambling industry. i-SOON very likely uses and sells access to custom malware families like Winnti and ShadowPad. IOC provided. 🔗 https://www.recordedfuture.com/attributing-i-soon-private-contractor-linked-chinese-state-sponsored-groups
#ISOON #cyberespionage #China #APT #threatintel #IOC #redhotel #redalpha #poisoncarp #winnti #shadowpad
-
Hammer drops on hackers accused of targeting game and software makers - Enlarge / The Department of Justice seal as seen during a press conference in December 2019. (cred... - https://arstechnica.com/?p=1707160 #gamemakers #software #hackers #hacking #biz&it #policy #winnti #apt41 #china
-
📬Ein Werk von Winnti? Unbekannte hacken seit 10 Jahren Linux-Systeme📬 https://tarnkappe.info/ein-werk-von-winnti-unbekannte-hacken-seit-10-jahren-linux-systeme/ #RedHatEnterprise #Cyberspionage #UbuntuLinux #BlackBerry #XiJinping #Artikel #CentOS #Winnti #China #Linux
-
#EvilGnome und #Winnti: #Security-Experte findet Schadprogramm für #Gnome
Laut einem Eintrag im Interzer-Blog gibt es eine Schadsoftware, die gezielt Gnome-Installationen infiziert.
-
#Bayer AG von #Hackern ausgespäht: Spur nach China?
Der Dax-Konzern Bayer ist von der "#Winnti"-Gruppe digital ausgespäht worden. Nach Informationen von BR und NDR war die #Schadsoftware bis Ende März im #Netzwerk des Konzerns zu finden.
https://www.tagesschau.de/inland/hackerangriff-bayer-101.html