Description
[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: 401 TRG Winnti Umbrella May 2018)
Techniques Used (TTPs)
- T1014 — Rootkit (defense-evasion)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1083 — File and Directory Discovery (discovery)
- T1583.001 — Domains (resource-development)
- T1057 — Process Discovery (discovery)
- T1553.002 — Code Signing (defense-evasion)
Total TTPs: 6
Malware & Tools
Malware: PipeMon, PlugX, Winnti for Windows