S0141: Winnti for Windows
Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.[1][2][3][4]. The Linux variant is tracked separately under Winnti for Linux.[5]
Analyst context for executives and security teams
Winnti for Windows matters because ATT&CK describes it as a modular Windows remote access Trojan used in intrusions across regions since at least 2010. For leaders, the material risk is not a single malware name; it is the combination of remote access, persistence, discovery, stealth, and command-and-control behaviors that can let an intrusion remain useful to an adversary over time if Windows host and network visibility are weak.
Executive priority
Prioritize this as a coverage-validation item for Windows endpoints, especially where business continuity depends on high-value workstations or servers. Security leaders should ask whether the SOC can prove visibility into service-based persistence, registry startup changes, suspicious rundll32 use, file hiding/deletion, encoded or compressed payloads, and web/proxy-based command-and-control. Because ATT&CK provides no official detection text for this malware, assurance should come from tested telemetry and response procedures rather than from name-based malware detection alone.
Technical view
The supplied relationships show Winnti for Windows using techniques across persistence, privilege escalation, execution, discovery, command and control, and stealth. SOC and IR teams should validate detections around Windows service creation or modification, service execution, Registry Run keys and Startup Folder persistence, UAC bypass indicators, rundll32 proxy execution, process/system/file discovery, tool transfer, file deletion, timestomping, encoded or compressed files, deobfuscation behavior, environmental keying, and encrypted or proxied C2 over web and non-application-layer protocols. Relationship context also links use to Winnti Group and Aquatic Panda, so threat intelligence teams may use those relationships for enrichment, while avoiding attribution without local evidence.
Likely telemetry
- Windows endpoint process creation, parent-child process, command-line, and module/DLL execution telemetry
- Windows service creation, modification, service control manager activity, and service execution records
- Registry autorun and Startup Folder change telemetry
- File creation, deletion, rename, compression/archive, encoding/decoding, and timestamp metadata
- EDR or host telemetry for UAC elevation behavior and native API-driven activity where available
Detection direction
- Do not rely only on signatures for the malware family name; validate behavior-based coverage for the related ATT&CK techniques.
- Tune rundll32 detections for suspicious DLL paths, unusual arguments, unexpected parent processes, and execution from user-writable or uncommon locations while accounting for legitimate administrative and software activity.
- Monitor Windows services and Registry autoruns for new, modified, or oddly named entries, especially when paired with new binaries, encoded content, or external network communication.
- Correlate discovery activity, file/directory enumeration, process discovery, and system information collection with later persistence or C2 behaviors to reduce false positives.
- Review egress monitoring for web-protocol C2, encrypted symmetric traffic patterns, proxy chaining, internal proxy use, and non-standard protocol use; blind spots often exist where outbound HTTPS or proxy traffic is treated as inherently trusted.
Mitigation priorities
- Start with Windows visibility: ensure endpoint, service, registry, file, and network telemetry is collected from systems that matter to business operations.
- Reduce persistence and privilege-escalation opportunity through least privilege, controlled local administrator access, UAC hardening, and monitoring of service and autorun changes.
- Apply application control or execution policy where feasible for scripts, DLL execution paths, rundll32 abuse patterns, and unauthorized binaries.
- Strengthen outbound network controls with proxy governance, egress filtering, DNS/proxy logging, and review of allowed non-standard protocols.
- Prepare IR playbooks for modular RAT activity, including host isolation, persistence removal, credential exposure review, C2 scoping, and lateral movement investigation.
Analyst notes and limits
ATT&CK identifies Winnti for Windows as a Windows modular RAT and tracks the Linux variant separately. The object has relationships to Winnti Group and Aquatic Panda and to multiple techniques, but the malware object itself lists no tactics and provides no official detection text. This take therefore emphasizes defensible coverage validation from the supplied relationships rather than asserting specific indicators, campaigns, or current exploitation.
This assessment is limited to the supplied official STIX fields, external references, and relationships. It does not include file hashes, infrastructure, vulnerabilities, campaign timing, victimology beyond supplied group descriptions, or confirmed local exposure. Organizations need their own asset inventory, telemetry quality review, and incident evidence to determine relevance and coverage.
Winnti for Windows
Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.[1][2][3][4]. The Linux variant is tracked separately under Winnti for Linux.[5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | Winnti for Windows can use Native API to create a new process and to start services.CitationNovetta Winnti April 2015 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.CitationMicrosoft Winnti Jan 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Winnti for Windows can XOR encrypt C2 traffic.CitationNovetta Winnti April 2015 |
| Enterprise | T1083 | File and Directory Discovery | Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.CitationNovetta Winnti April 2015 |
| Enterprise | T1090.002 | External Proxy Sub-technique | The Winnti for Windows HTTP/S C2 mode can make use of an external proxy.CitationNovetta Winnti April 2015 |
| Enterprise | T1095 | Non-Application Layer Protocol | Winnti for Windows can communicate using custom TCP.CitationNovetta Winnti April 2015 |
| Enterprise | T1057 | Process Discovery | Winnti for Windows can check if the explorer.exe process is responsible for calling its install function.CitationNovetta Winnti April 2015 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Winnti for Windows can add a service named |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | The Winnti for Windows HTTP/S C2 mode can make use of a local proxy.CitationNovetta Winnti April 2015 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | The Winnti for Windows installer loads a DLL using rundll32.CitationMicrosoft Winnti Jan 2017CitationNovetta Winnti April 2015 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Winnti for Windows can use a variant of the sysprep UAC bypass.CitationNovetta Winnti April 2015 |
| Enterprise | T1082 | System Information Discovery | Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.CitationNovetta Winnti April 2015 |
| Enterprise | T1027.015 | Compression Sub-technique | Winnti for Windows has the ability to encrypt and compress its payload.CitationNovetta Winnti April 2015 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Winnti for Windows can run as a service using svchost.exe.CitationNovetta Winnti April 2015 |
| Enterprise | T1105 | Ingress Tool Transfer | The Winnti for Windows dropper can place malicious payloads on targeted systems.CitationNovetta Winnti April 2015 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Winnti for Windows can delete the DLLs for its various components from a compromised host.CitationNovetta Winnti April 2015 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe.CitationNovetta Winnti April 2015 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Winnti for Windows has the ability to encrypt and compress its payload.CitationNovetta Winnti April 2015 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | The Winnti for Windows dropper can decrypt and decompresses a data blob.CitationNovetta Winnti April 2015 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications.CitationNovetta Winnti April 2015 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.CitationMicrosoft Winnti Jan 2017 |
| Enterprise | T1480.001 | Environmental Keying Sub-technique | The Winnti for Windows dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key.CitationNovetta Winnti April 2015 |
Groups, software, and campaigns
G0143: Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]
G0044: Winnti Group
Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.[1][2][3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.[4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.1 | Current bundle | 04f2bab1c8be… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Winnti April 2013
Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
Open source URL -
[2]
Microsoft Winnti Jan 2017
Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
Open source URL -
[3]
Novetta Winnti April 2015
Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
Open source URL -
[4]
401 TRG Winnti Umbrella May 2018
Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.
Open source URL -
[5]
Chronicle Winnti for Linux May 2019
Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
Open source URL -
[6]
mitre-attack S0141Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.