G0044: Winnti Group
Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.[1][2][3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.[4]
Analyst context for executives and security teams
Winnti Group matters because MITRE describes a long-running intrusion set, active since at least 2010, with heavy historical targeting of the gaming industry and a broader targeting scope over time. For leaders, the practical issue is not the name alone but whether the organization can recognize and investigate the behaviors associated with the group: Windows remote access tools, stealth through rootkit-related behavior, discovery activity, tool transfer, domain infrastructure, and misuse of code signing.
Executive priority
Prioritize this as a resilience and assurance question for environments where software integrity, Windows endpoint visibility, certificate governance, and outbound network control are business-critical. Executives should ask whether security teams can prove visibility into signed malware risk, unauthorized remote access tooling, suspicious discovery, and external tool transfer. Gaming-sector organizations should treat the group history as especially relevant, while other sectors should not dismiss it because MITRE notes expanded targeting scope. Use this object to guide threat-informed control validation rather than to infer current exposure or active exploitation.
Technical view
ATT&CK provides no official detection text for this group, so SOC and IR teams should pivot from the relationships. Validate coverage for PlugX, Winnti for Windows, and PipeMon-related behaviors where applicable, especially on Windows endpoints. Technique relationships point to rootkit-style hiding, process discovery, file and directory discovery, ingress tool transfer, code signing abuse, and adversary domain acquisition. Detection engineering should test whether endpoint, network, DNS/proxy, and certificate telemetry can connect these behaviors into an investigation narrative rather than relying only on malware family names or static indicators.
Likely telemetry
- Endpoint process execution and process enumeration events
- File and directory access/enumeration telemetry
- Driver, service, kernel, or other host signals relevant to rootkit-style hiding where available
- Endpoint security alerts and forensic artifacts for Windows RAT/backdoor behavior
- Network egress, proxy, firewall, and flow logs for external tool transfer and command-and-control-like connections
Detection direction
- Do not depend only on the Winnti Group name; validate detections against the related software and techniques supplied by ATT&CK.
- Tune for suspicious combinations: discovery activity followed by external downloads or transfers, new remote access tooling, unusual signed binaries, or host artifacts inconsistent with normal administration.
- Review false positives from legitimate administrators, software deployment tools, developer signing workflows, and endpoint management platforms before escalating.
- Confirm whether rootkit-oriented visibility is realistic in the environment; many SOC stacks have blind spots below normal user-mode process and file logging.
- Use DNS/proxy and egress data to support investigations, but avoid treating domain activity alone as attribution to this group without corroborating host evidence.
Mitigation priorities
- Establish strong code-signing governance: protect signing keys, monitor certificate use, and investigate unexpected signed binaries.
- Maintain endpoint detection and response coverage on systems where Windows RAT/backdoor activity would be material, especially high-value developer, build, gaming, or production systems.
- Harden egress paths with proxy/DNS logging and policy controls so unauthorized tool transfer and command-and-control infrastructure are more observable.
- Prepare IR playbooks for stealthy malware investigations, including memory/disk collection and checks for hidden services, drivers, files, or network connections.
- Baseline legitimate discovery and software deployment behavior to make abnormal process and file enumeration easier to triage.
Analyst notes and limits
The object is an intrusion-set entry, not a single technique or malware profile. MITRE lists aliases Winnti Group and Blackfly, describes Chinese origins, and notes reporting that other groups may be closely linked; those links should be treated cautiously. The most actionable content comes from the relationships to PlugX, Winnti for Windows, PipeMon, Rootkit, Process Discovery, File and Directory Discovery, Ingress Tool Transfer, Code Signing, and Domains.
ATT&CK provides no official detection guidance, no group-level platforms, and no group-level tactics in the supplied fields. This take does not assert current activity, customer exposure, attribution beyond MITRE’s description, or guaranteed detection. Local telemetry, asset criticality, sector context, and incident evidence are required to turn this into operational priority.
Winnti Group
Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.[1][2][3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1014 | Rootkit | Winnti Group used a rootkit to modify typical server functionality.CitationKaspersky Winnti April 2013 |
| Enterprise | T1105 | Ingress Tool Transfer | Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.CitationKaspersky Winnti April 2013 |
| Enterprise | T1083 | File and Directory Discovery | Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.CitationKaspersky Winnti April 2013 |
| Enterprise | T1583.001 | Domains Sub-technique | Winnti Group has registered domains for C2 that mimicked sites of their intended targets.CitationKaspersky Winnti April 2013 |
| Enterprise | T1057 | Process Discovery | Winnti Group looked for a specific process running on infected servers.CitationKaspersky Winnti April 2013 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Winnti Group used stolen certificates to sign its malware.CitationKaspersky Winnti April 2013 |
Groups, software, and campaigns
S0501: PipeMon
PipeMon is a multi-stage modular backdoor used by Winnti Group.[1]
S0141: Winnti for Windows
Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.[1][2][3][4]. The Linux variant is tracked separately under Winnti for Linux.[5]
S0013: PlugX
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | f8d5cb61f083… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Winnti April 2013
Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
Open source URL -
[2]
Kaspersky Winnti June 2015
Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
Open source URL -
[3]
Novetta Winnti April 2015
Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
Open source URL -
[4]
401 TRG Winnti Umbrella May 2018
Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.
Open source URL -
[5]
Blackfly
(Citation: Symantec Suckfly March 2016)
-
[6]
Symantec Suckfly March 2016
DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
Open source URL -
[7]
Winnti Group
(Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015)
-
[8]
mitre-attack G0044Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.