Winnti
Winnti is a long-running malware family and broader malware lineage associated with Chinese state-linked intrusion activity, especially clusters tracked as APT41 and the Winnti Group, and also reported in operations involving RedHotel/Earth Lusca, Aquatic Panda, Alloy Taurus, and other China-nexus actors. The content describes both Windows and Linux variants, including classic Winnti backdoors, Winnti-family DLLs and services on Windows, and ELF backdoors for Linux.
Historically, Winnti has been prominent since at least 2012 and has been used in cyber espionage and supply-chain operations. Reported targeting includes software and hardware companies, telecommunications, social media, video game companies, universities, think tanks, foreign governments, NGOs, media, academia, aerospace, and Southeast Asian government entities. Specific victim themes mentioned include gaming companies, Hong Kong universities, Indian targets, ASEAN-affiliated entities, and Linux cloud workloads across AWS, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud.
Capabilities described in the content include remote backdoor access, persistence, credential theft, cloud credential harvesting, reconnaissance, and support for lateral movement. On Linux cloud systems, a recent Winnti-family ELF implant harvested instance metadata and credentials from 169.254.169.254, including AWS IAM role credentials and tokens, GCP service account tokens and project metadata, Azure managed identity tokens and subscription metadata, and Alibaba Cloud RAM role credentials and instance metadata. It also checked local credential stores such as ~/.aws/credentials and cloud-specific configuration paths, encrypted collected secrets with a hardcoded AES-256 key, used SMTP over port 25 as a covert C2 channel, and broadcast UDP traffic to 255.255.255.255:6006 for host discovery and peer coordination. The Linux implant was linked by code reuse to earlier Winnti-lineage malware including PWNLNX, RedXOR, AzazelFork, SprySOCKS, Melofee, and the Linux KEYPLUG variant.
Windows-side behavior in the content includes DLL side-loading and search-order hijacking, service-based persistence, rootkit-related components, and use of masquerading filenames and paths. Examples include Winnti found as C:\Windows\System32\oci.dll in a Hong Kong university intrusion; a Winnti-family variant copied to %SYSTEM%\lscsrv.dll with a service named Lscsrv; and Linux persistence via ld.so preload modification. The content also references detection opportunities such as signing certificate artifacts, rootkit driver paths, and unique strings in known DLLs. Aquatic Panda was reported to install Linux Winnti after SSH access and to modify ld.so preload for persistence.
In observed campaigns, Winnti commonly appeared alongside other Chinese intrusion tooling such as ShadowPad, PlugX/Korplug, China Chopper, Cobalt Strike, Brute Ratel, HDoor, and bespoke loaders. Infection and deployment vectors mentioned include phishing, spear-phishing attachments and archives, exploitation of public-facing applications such as Exchange, Zimbra, Openfire, Oracle servers, and Log4Shell exposure, as well as DLL side-loading through legitimate executables. The content also notes use in supply-chain compromises and long-term persistence operations.
High-confidence infrastructure and indicators directly mentioned for the Linux Winnti-family cloud backdoor include MD5 f1403192ad7a762c235d670e13b703c3; C2 domains ai[.]qianxing[.]co, ns1[.]a1iyun[.]top, and ai[.]aliyuncs[.]help; C2 IP 43[.]99[.]48[.]196 hosted on Alibaba Cloud in Singapore; metadata endpoint 169.254.169.254; and UDP broadcast traffic to port 6006. Additional campaign-specific Winnti-related C2 naming patterns mentioned include w[target].livehost.live:443 and w[target].dnslookup.services:443 in the Hong Kong university case. The content also notes the internal name TreadStone as a controller name associated with Winnti in leaked I-Soon materials and FBI indictment references.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This group is also linked to the use of PlugX/Fast/Korplug/ and Winnti/Pasteboy and Shadowpad malware, with the Korplug and Winnti being prominent malware families since 2012.
"China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware"
"...attempting to install a variant of the Winnti malware family..."
"This attack is thought to be of Chinese origins and utilized the Winnti backdoor."
"This attack is thought to be of Chinese origins and utilized the Winnti backdoor."
"This attack is thought to be of Chinese origins and utilized the Winnti backdoor."
"This attack is thought to be of Chinese origins and utilized the Winnti backdoor."
“Fishmonger was notably going after universities in Hong Kong in 2020 using the Winnti and ShadowPad malware.” and: “the internal name of this tool (“TreadStone”) was mentioned in the FBI indictment … as the controller for Winnti.”
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueAPT41 Winnti ELF backdoor with near-maximum entropy connects to three typosquat domains.
Initial Access
4 techniquesAPT41 exploits vulnerabilities in public-facing applications and deploys malware such as Winnti and ShadowPad to maintain persistence.
It has been linked to supply chain compromises and for hacking into popular software vendors. Well known software titles with significant installation bases were compromised with malware.
The modus operandi of this group was to compromise developer workstations that had access to source code repositories and then install backdoors and other malware into legitimate software.
"The company appears to have trouble sourcing malware and relies on generally crude methods (i.e., phishing)." / "a 'forensics link' (phishing) is delivered to the victim ... the end-goal is to obtain the victim’s Outlook credentials."
Execution
1 techniquePersistence
1 techniqueThe threat actors have also been known to deploy the Winnti malware and the China Chopper web shell...
Credential Access
2 techniquesAt the heart of this new Winnti backdoor is a focused cloud credential harvesting engine that systematically walks through each major provider’s metadata and credential storage mechanisms. On AWS, the implant queries the instance metadata endpoint at 169.254.169.254 to extract IAM role credentials, while also reading the standard ~/.aws/credentials file if it exists. On GCP, it requests service account tokens from the metadata server and checks for application default credentials, and on Azure it pulls managed identity tokens from the IMDS endpoint and scans ~/.azure profiles. For Alibaba Cloud, the malware targets ECS metadata to obtain RAM role credentials and inspects the local Alibaba CLI configuration files.
Harvests cloud instance metadata.
Discovery
1 techniqueInside the cloud network, the implant supports lateral movement by periodically sending UDP broadcast beacons to 255.255.255.255 on port 6006, allowing other compromised hosts to discover each other and share tasking without extra direct C2 traffic.
Command and Control
2 techniquesCustomers running the latest definitions are protected by the following IPS signatures: WINNTI.Botnet Backdoor.Cobalt.Strike.Beacon
According to the Breakglass Intelligence report, the backdoor uses an unusual but effective command-and-control strategy built around SMTP traffic over port 25, rather than more common HTTPS-based channels. This choice allows the implant to disguise its C2 as email traffic... All collected secrets are encrypted using a hardcoded AES-256 key and staged locally prior to exfiltration through the SMTP-based C2 channel.
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux ELF backdoor used for stealthy long-term access in cloud environments. It harvests cloud credentials from metadata services and local credential files across AWS, GCP, Azure, and Alibaba Cloud, encrypts the collected secrets, and exfiltrates them via an SMTP-based command-and-control channel. It also supports peer-to-peer coordination for lateral movement inside cloud networks.
An ELF backdoor targeting Linux cloud workloads and harvesting cloud credentials across major cloud environments.
An obfuscated x86_64 ELF backdoor attributed in the content to the Winnti lineage. It communicates with typosquatted C2 domains hosted on Alibaba Cloud, uses SMTP port 25 as a covert command channel, harvests cloud instance metadata and credentials from AWS, GCP, Azure, and Alibaba Cloud, and performs UDP broadcast-based network discovery for lateral movement.
Malware used by APT41 to maintain persistence in compromised environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.