ESET dissects arsenal of supply-chain attacks by the Winnti Group

Next story

BRATISLAVA, MONTREAL, October 14, 2019 ESET, a global leader in IT security, today released findings on the updated arsenal of the Winnti Group. The group is known for its espionage capability and targeted attacks, although financial motivation cannot be excluded.

Already in March 2019, ESET researchers warned about Winnti’s new supply-chain attacks targeting video game players in Asia. Following this publication, ESET research continued its investigation in two directions. First, to explore the next stages delivered by this attack. Second, to discover how organizations’ digital supply chains have been compromised to deliver malware in their applications. 

“It is not an easy task. Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviors and code similarity to help us spot the needle,” said Marc-Étienne Léveillé, an ESET researcher who investigated the Winnti Group. “Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was,” he added.

The Winnti Group uses this packer in a backdoor dubbed PortReuse. In collaboration with Censys, ESET performed an Internet-wide scan to try to identify one variant of the backdoor and potential victims. ESET researchers were able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse. ESET also analyzed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.

For more technical details, read the blog post, “Connecting the dots: exposing the arsenal and methods of the Winnti Group” on WeLiveSecurity. The paper details the group’s latest additions, showing the relationships among the incidents, the malware and the techniques at use. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single ‘in-the-wild’ malware without interruption since 2003. For more information, visit or follow us on LinkedInFacebook and Twitter.