Amid student protests, Winnti Group targets Hong Kong universities, ESET discovers

Next story

BRATISLAVA, MONTREAL – January 31, 2020 ESET researchers have recently discovered a new campaign by the Winnti group. This time, Hong Kong universities were the desired target. ESET’s machine-learning engine detected a unique, malicious sample on multiple computers belonging to two Hong Kong universities. In addition to the two confirmed compromised universities, ESET has indications that at least three additional universities may have been affected. The attackers were interested in stealing information from the victims’ machines. This campaign of the Winnti Group was taking place as widespread civic protests swept Hong Kong, including the territory’s universities.

The latest research into Winnti Group, previously responsible for high-profile supply-chain attacks against the video game and software development industry as well as attacks against healthcare and education sectors, confirms that the group is still using its flagship ShadowPad backdoors. However, in the campaign against Hong Kong universities, ShadowPad’s launcher was replaced with a new and simpler version detected by ESET products as Win32/Shadowpad.C.

“Both ShadowPad and Winnti, found at these universities in November 2019, contain campaign identifiers and command & control URLs matching the name of the universities, which indicates a targeted attack,” says Mathieu Tartare, leading ESET researcher into the Winnti Group.

“ShadowPad is a multi-modular backdoor and, by default, every keystroke is recorded using the Keylogger module. The use of this module by default indicates that the attackers are interested in stealing information from the victims’ machines. In contrast, the variants we described in our earlier whitepaper didn’t even have that module embedded,” elaborates Tartare on the discovery.

For more technical details about the latest discovery into the Winnti Group, read the blog post Winnti Group targeting universities in Hong Kong on ESET researchers recently published a whitepaper updating our understanding of the arsenal of the Winnti Group as well. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit or follow us on LinkedInFacebook and Twitter.