Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked APT group Winnti targets Japanese organizations since March 2024

China-linked threat actor Winnti targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024 as part of a campaign dubbed RevivalStone. Researchers from cybersecurity firm LAC uncovered a new cyberespionage campaign, tracked as RevivalStone, carried out by the China-linked APT group Winnti in March 2024. Threat actors targeted Japanese companies in the manufacturing, […]

Winnti malware

China-linked threat actor Winnti targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024 as part of a campaign dubbed RevivalStone.

Researchers from cybersecurity firm LAC uncovered a new cyberespionage campaign, tracked as RevivalStone, carried out by the China-linked APT group Winnti in March 2024. Threat actors targeted Japanese companies in the manufacturing, materials, and energy sectors and used an enhanced version of “Winnti malware.”

The APT group was first spotted by Kaspersky in 2013, but according to the researchers, the gang has been active since 2007.

The experts believe that under the Winnti umbrella, there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad.

LAC states that the Winnti malware employed in the RevivalStone campaign supports new evasion techniques.

The attack chain began by exploiting an SQL injection in an ERP system to deploy a WebShell, then attackers conducted reconnaissance and installed Winnti malware. The threat actors compromised a shared account of the operation and maintenance company to perform lateral movements, breaching the infrastructure provider’s network and impacting multiple organizations.

Winnti malware

The threat actor used multiple WebShells in this campaign including “China chopper,” “Behinder,” and “sqlmap file uploader.”

The new Winnti malware persists through the SessionEnv service, initiating a multi-step execution process. It exploits DLL hijacking to load the Winnti Loader, which decrypts and executes the Winnti RAT. The RAT then deploys the Winnti Rootkit, which intercepts TCPIP communications and waits for external C2 commands to execute malicious actions.

The Winnti Loader, also known as PRIVATELOG, loads the Winnti RAT into memory, is supports code obfuscation through jump-based Control Flow Flattening (CFF). The malware also employs XOR and ChaCha20 encryption to obfuscate characteristic strings, further complicating detection and reverse engineering.

“To avoid detection by EDR products, Winnti Loader copies and loads legitimate DLL files required for its operation to the System32 folder. This detection evasion function is also implemented in the “UNAPIMON” malware, which is one of the components of the Winnti malware described below.” reads the report. “In addition, when copying files, Winnti Loader changes the file name to one consisting of an underscore and 5-9 alphabetic characters (e.g., “_syFig.dll” or “_TcsTgyqmk.dll”). Figure 11 shows the code for determining the number of characters in the random string, where a number between 5 and 9 is assigned to the variable v1. The Winnti Loader then dynamically loads the copied libraries and deletes the copied files once the loading is complete.”

LAC discovered references to TreadStone and StoneV5 in the RevivalStone campaign. TreadStone is a Winnti malware controller, also found in last year’s I-Soon leak linked to a Linux malware control panel.

TreadStone is a Winnti malware controller, referenced in leaked i-Soon data as a Linux malware controller. StoneV5 may indicate Winnti version 5.0.

“In recent years, the Winnti Group has been reported to target Asian countries in many cases, and it is highly likely that they are still conducting covert attacks.” concludes the report. “For this reason, we recommend that organizations take stock of their information assets, and implement measures such as patch management for vulnerabilities, checking for configuration errors, and shutting down unnecessary services.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT group Winnti)