Remote Access Trojan

Winnti

First seen: 2011 • Status: active

Currently Active Threat

Winnti started as a tool to hack video game companies but grew into a spy program used against all kinds of businesses to steal their secrets.

Overview

Winnti is a backdoor toolkit used by multiple Chinese APT groups. Originally targeting gaming companies, it has evolved to target technology, manufacturing, and pharmaceutical sectors.

Also Known As

Winnti malware, Winnti backdoor

How It Spreads

  • Supply chain attacks
  • Spear phishing
  • Exploitation

What It Does

  • Backdoor access
  • Code signing certificate theft
  • Lateral movement
  • Data exfiltration

Is your business exposed?

Target Platforms

Windows, Linux

Detection Tips

  • Monitor for unusual kernel driver activity
  • Check for stolen code signing certificates
  • Analyze network traffic for Winnti patterns
  • Review build pipeline security

MITRE ATT&CK Techniques

T1195, T1553, T1021, T1005, T1070

If You're Infected

  1. 1.

    Revoke and replace code signing certificates

  2. 2.

    Audit software build pipelines

  3. 3.

    Remove Winnti backdoor components

  4. 4.

    Implement software integrity verification

Related Malware

Shadowpad, Plugx, CobaltStrike

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices