This presentation is the result of a long-term research uncovering new unpublished details on the arsenal of the Winnti umbrella. The Winnti umbrella consists in multiple threat actors having in common the use of a custom backdoor for their operations, the Winnti malware. It is active since at least 2009 and is mostly targeting the video-game industry even though it is also known to have compromised other high-profile targets such as the pharmaceutical industry. They are also known for certificates theft used to sign their malwares.