Winnti
· Published 20/12/2025 22:07 · Modified 20/12/2025 22:07
· Source: AlienVault
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 22:07
- Modified
- 20/12/2025 22:07
- Updated at
- 20/12/2025 22:07
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 3 reports, 61 attack patterns (mitre), 15 malware, 3 sectors, 7 countries, 69 indicators, 1 vulnerabilities (cve)
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (3)
-
19 MITREs 4 Malwares 1 APTPublished 19/08/2025 16:07 · Modified 19/08/2025 21:20
-
15 MITREs 1 Malware 5 Observables 1 APTPublished 11/12/2024 19:24 · Modified 11/12/2024 19:36
-
10 MITREs 3 Malwares 4 Observables 1 APTPublished 29/05/2024 10:38 · Modified 29/05/2024 11:30
Attack patterns (MITRE) (61)
-
T1569.002 usesService Execution
-
T1055 usesProcess Injection
-
T1573.001 usesSymmetric Cryptography
-
T1204.002 usesMalicious File
-
T1027 usesObfuscated Files or Information
-
T1082 usesSystem Information Discovery
-
T1071 usesApplication Layer Protocol
-
T1027.004 usesCompile After Delivery
-
T1132.002 usesNon-Standard Encoding
-
T1599.001
-
T1036 usesMasquerading
-
T1074 usesData Staged
-
T1056 usesInput Capture
-
T1608.001 usesUpload Malware
-
T1059.004 usesUnix Shell
-
T1083 usesFile and Directory Discovery
-
T1003.001 usesLSASS Memory
-
T1059.001 usesPowerShell
-
T1021.001 usesRemote Desktop Protocol
-
T1505.003 usesWeb Shell
-
Software usesT1592.002
-
T1140 usesDeobfuscate/Decode Files or Information
-
T1095 usesNon-Application Layer Protocol
-
T1497.003 usesTime Based Checks
-
T1037 usesBoot or Logon Initialization Scripts
-
T1132 usesData Encoding
-
T1176 usesSoftware Extensions
-
T1014 usesRootkit
-
T1204 usesUser Execution
-
T1070.004 usesFile Deletion
-
T1219 usesRemote Access Tools
-
T1587.001 usesMalware
-
T1588.002 usesTool
-
T1547.001 usesRegistry Run Keys / Startup Folder
-
T1583.001 usesDomains
-
T1071.001 usesWeb Protocols
-
T1005 usesData from Local System
-
T1572 usesProtocol Tunneling
-
T1573 usesEncrypted Channel
-
T1059 usesCommand and Scripting Interpreter
-
T1564.001 usesHidden Files and Directories
-
T1564.003 usesHidden Window
-
T1562.001 usesDisable or Modify Tools
-
T1588.001 usesMalware
-
T1571 usesNon-Standard Port
-
T1205 usesTraffic Signaling
-
T1059.007 usesJavaScript
-
T1027.002 usesSoftware Packing
-
T1574 usesHijack Execution Flow
-
T1078 usesValid Accounts
-
T1037.004 usesRC Scripts
-
T1608.002 usesUpload Tool
-
T1057 usesProcess Discovery
-
T1562.003 usesImpair Command History Logging
-
T1553.004 usesInstall Root Certificate
-
T1113 usesScreen Capture
-
T1543.001 usesLaunch Agent
-
T1105 usesIngress Tool Transfer
-
T1115 usesClipboard Data
-
T1090 usesProxy
-
T1102 usesWeb Service
Malware (15)
- KEYPLUG
- AlienReverse
-
FamilyPublished 29/05/2024 10:38 · Modified 29/05/2024 10:38
-
AsyncRAT usesFamilyPublished 11/06/2026 16:31 · Modified 11/06/2026 16:31
- Mélofée
-
Glutton usesFamilyPublished 11/12/2024 19:24 · Modified 11/12/2024 19:24
-
FamilyPublished 19/08/2025 16:07 · Modified 19/08/2025 16:07
-
GodRAT usesFamilyPublished 19/08/2025 16:07 · Modified 19/08/2025 16:07
-
FamilyPublished 19/08/2025 16:07 · Modified 19/08/2025 16:07
-
Rekoobe usesFamilyPublished 27/02/2026 05:11 · Modified 27/02/2026 05:11
- HelloBot
-
amdc6766 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:44 · Modified 21/12/2025 04:28
-
Gafgyt usesFamilyPublished 03/06/2026 22:14 · Modified 03/06/2026 22:14
- Winnti
-
REPTILE usesFamilyPublished 11/04/2025 15:42 · Modified 11/04/2025 15:42
Sectors (3)
- Information Technologies Consulting targets
- Government targets
- Finance targets
Countries (7)
- Sri Lanka targets
- Korea, Republic of targets
- Jordan targets
- United Arab Emirates targets
- Lebanon targets
- Hong Kong targets
- Malaysia targets
Indicators (69)
-
2801a3cc5aed8ecb391a9638a3c6f8db58ca3002e66f11bf88f8c7c2e5a6b009indicates -
a5a4284f87fd475b9474626040d289ffabba1066fae6c37bd7de9dabaf65e87aindicates -
dgbyem.comindicates -
3535f45bbfafda863665c41d97d894c39277dfd9af1079581d28015f76669b88indicates -
99ffc0099277bef59a37a4cfcf4cdd71df13ad33d1c7bf943dc87f803e75dd2cindicates -
57dcf387af8ce14d2671fa3ed7984995b3801503indicates -
f3e35850ce20dfc731a6544b2194de3f35101ca51de4764b8629a692972bef68indicates -
f49f1b2cc52623624fdd3d636056b8a80705f6456a3d5a676e3fb78749bdd281indicates -
ad5bc6c4e653f88c451f6f6375516cc36a8fa03dd5a4d1412a418c91d4f9bec8indicates -
a37661830859ca440d777af0bfa829b01d276bb1f81fe14b1485fa3c09f5f286indicates -
update.ankining.comindicates -
3c1842d29a3445bd3b85be486e49dba36b8b5ad55841c0ce00630cb83386881dindicates -
wuwu6.cfdindicates -
v20.thinkphp1.comindicates -
407ab8618fed74fdb5fd374f3ed4a2fd9e8ea85631be2787e2ad17200f0462b8indicates -
5861584bb7fa46373c1b1f83b1e066a3d82e9c10ce87539ee1633ef0f567e743indicates -
d182239d408da23306ea6b0f5f129ef401565a4d7ab4fe33506f8ac0a08d37baindicates -
a9d967243678d31ba5027d1802fbc1606c10b7743d6d6851eddc32b9281eb2f6indicates -
378acfdbcec039cfe7287faac184adf6ad525b201cf781db9082b784c9c75c99indicates -
be7f7955a296874f238da6ec5b63ffec995429ee1833e7fbcc294e36eeacbca4indicates -
d1100b60d45fac34867b8b0330798a7bcbc05ec10394bd95f5876e0eab154c8findicates -
22fd67457274635db7dd679782e002009363010db66523973b4748d5778b1a2aindicates -
cloudf1are.comindicates -
84141bec33a157a8fd1c6a55fcec337785a44607indicates -
206e93703e8d518ebe750593ff0c41b3c7ec3fd2fda2e107341ebc2889ee061cindicates -
2c1a6fe08c8cbdc904809be4c12b520888da7f33123d1656a268780a9be45e20indicates -
7684e1dfaeb2e7c8fd1c9bd65041b705bc92a87d9e11e327309f6c21b5e7ad97indicates -
git1ab.comindicates -
7149cdb130e1a52862168856eae01791cc3d9632287f990d90da0cce1dc7c6b9indicates -
133d3e070e30c94a591450b0930daf9f751debc0f4384fac6ace63f60a383818indicates -
1f9e4bfb25622eab6c33da7da9be6c51cf8bf1a284ee1c1703a3cee445bc8cd9indicates -
aa3a6610c795e5741b27e614161f930b1bdab0852f3600d813f4acb3eaa40cf4indicates -
dev.yuanta.devindicates -
904189ef4cec6ad4603918e63e0b2e477cb11503315ad3822437ee75920793f4indicates -
1425a4a89b938d5641ed438333708d1728cfed8c124451180d011f6bbb409976indicates -
187b6a4c6bc379c183657d8eafc225da53ab8f78ac192704b713cc202cf89a17indicates -
17bbebd7d8982d580cc3dea35d988ae2bfd62d708b69662419c41682274e0a14indicates -
ad979716afbce85776251d51716aeb00665118fb350038d150c129256dd6fc5findicates -
ssm.awszonwork.comindicates -
67baf182cad7c65df8fe3920d6b58293c5e0c9cb574d43abd045077a1d33fc67indicates -
8dc38dcd26c62e93c81e7f4408b83ec4d2adfe9a06cfebef0de945b338ec3c8bindicates -
69ff2f88c1f9007b80d591e9655cc61eaa4709ccd8b3aa6ec15e3aa46b9098bdindicates -
758b0934b7adddb794951d15a6ddcace1fa523e814aa40b55e2d071cf2df81f0indicates -
3ca39774a4405537674673227940e306cf5e8cd8dfa1f5fc626869738a489c3dindicates -
stock.awszonwork.comindicates -
www.data-yuzefuji.comindicates -
us.securitycloud-symantec.icuindicates -
cbe9107185c8e42140dbd1294d8c20849134dd122cc64348f1bfcc90401379ecindicates -
8d855c28744dd6a9c0668ad9659baf06e5e448353f54d2f99beddd21b41390b7indicates -
dash.lcmbk.comindicates -
617f9add4c27f3bb91a32fee007cce01f5a51deaf42e75e6cec3e71afe2ba967indicates -
v6.thinkphp1.comindicates -
1fd0018a96a1171470f84d4d745cf11c246b785d3b60fb957c0677399d597291indicates -
7ce7b914bd434f8a45db1cb3ec783237a5485b7abcee4df06275ea274e095295indicates -
330a61fa666001be55db9e6f286e29cce4af7f79c6ae267975c19605a2146a21indicates -
15e4e936b2f47eb3fa2455b7c22b2714bebe9f8c01b24bbf7cb5f9559999d292indicates -
777c1fda4008f122ff3aef9e80b5b5720c9f2dbc3d7e708277e2ccad1afd8cc5indicates -
kiteshieldindicates -
a62b67596640a3ebadd288e733f933ff581cc1822d6871351d82bd7472655bb5indicates -
acdb731dfa31242e24162895ccb9365bdb62debcindicates -
6e858c2c9ae20e3149cb0012ab9a24995aa331d2a818b127b2f517bc3aa745a0indicates -
vt.livehost.liveindicates -
test.yuanta.devindicates -
2e62d6c47c00458da9338c990b095594eceb3994bf96812c329f8326041208e8indicates -
c36ab5108491f4969512f4d35e0d42b3d371033c8ccf03e700c60fb98d5a95f8indicates -
2db4adf44b446cdd1989cbc139e67c068716fb76a460654791eef7a959627009indicates -
899ef7681982941b233e1ea3c1a6d5a4e90153bbb2809f70ee5f6fcece06cabcindicates -
4305c04df40d3ac7966289cc0a81cedbdd4eee2f92324b26fe26f57f57265bcaindicates -
31eebd590a227389318364061f9b0f0fcaa6fcc1a566dde61fd044bac56aa355indicates
Vulnerabilities (CVE) (1)
CVE-2025-29824
KEV
7.8
High
Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
- Attack vector
- Local
- Published
- 08/04/2025
- Modified
- 21/12/2025