The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the video game and software industries, as well as the healthcare and education sector. Some of their most notorious attacks were against CCleaner (2018) and Asus LiveUpdate (2019), two events that led to the distribution of trojanized software that got millions of computers infected. In 2018, several individuals suspected of being part of the Winnti Group were indicted by the US Department of Justice for conspiring to hack and steal intellectual property and confidential data from US and European companies.

Despite the increased scrutiny towards the group’s activities, Winnti is still highly active. During the last year, we discovered two campaigns of the Winnti Group against several Hong Kong universities, which occurred during the same period that widespread civic protests were sweeping Hong Kong. We also discovered various new campaigns targeting the videogame industry (developers and distributors) in South Korea, Taiwan and Russia.

During this presentation, we will show that not only is the Winnti Group still actively using and maintaining its flagship backdoor ShadowPad along with the Winnti malware family, but also that they extended their arsenal with new tools such as PipeMon (a modular backdoor) and some new and undocumented implants.

Video upon request to the author.