WinDealer
WinDealer is a Windows backdoor/RAT malware family associated with the China-linked threat actor LuoYu, also referred to in the provided content as SinisterEye LuoYu. It is described as a primary Windows implant and has been used alongside SpyDealer on Android. Reported delivery tradecraft includes adversary-in-the-middle or ISP/backbone-level interception of Windows software update traffic, specifically manipulation of Windows update mechanisms on ChinaNet AS4134 to deliver WinDealer to targets, including foreign entities operating inside China. The malware is referenced as part of LuoYu operations and is also mentioned in connection with Chinese-origin activity involving WinDealer and ReverseWindow. The content further notes WinDealer RAT among malware families discussed in threat reporting. High-confidence context from the provided material ties WinDealer to espionage-focused operations, Windows targeting, and network-infrastructure-assisted malware delivery rather than conventional user-driven infection vectors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In a research paper presented by TeamT5, XDealer was shown to be associated with Luoyu, a threat actor with Chinese origins that used the WinDealer and ReverseWindow malware families.
Target Technologies: Windows operating system update mechanisms, specifically Windows software update traffic intercepted and manipulated via adversary-in-the-middle to deliver WinDealer... Malware and Tools: WinDealer (Windows backdoor primary implant), SpyDealer (Android surveillance malware), custom passive MOTS injection framework operating at network infrastructure level.
...SinisterEye... to deliver malware like WinDealer (for Windows) and SpyDealer (for Android)...
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueInitial Access: Supply chain compromise through overseas telecommunications provider, exploiting a trusted third-party network connection to bypass perimeter defenses.
Credential Access
1 techniqueInitial Access: Adversary-in-the-middle attacks confirmed capability to intercept network traffic at ISP-level or backbone-level within AS4134 (ChinaNet). Legitimate software update requests from victim machines are intercepted in transit, with server responses replaced by a malicious payload before reaching the victim.
Discovery
1 techniqueActive Directory reconnaissance post-compromise.
Collection
1 techniqueInitial Access: Adversary-in-the-middle attacks confirmed capability to intercept network traffic at ISP-level or backbone-level within AS4134 (ChinaNet). Legitimate software update requests from victim machines are intercepted in transit, with server responses replaced by a malicious payload before reaching the victim.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Windows backdoor delivered through adversary-in-the-middle interception of software update traffic, used for surveillance and document exfiltration.
Windows malware delivered via adversary-in-the-middle attacks that hijack legitimate software update mechanisms.
WinDealer is referenced as a RAT in suspicious execution and driver-loading detections.
A malware family associated with Luoyu, mentioned in attribution context as related to XDealer.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.