Security Experts:

Connect with us

Hi, what are you looking for?



China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report

“CuckooBees” campaign operated by Chinese cyber espionage group went undetected since 2019

“CuckooBees” campaign operated by Chinese cyber espionage group went undetected since 2019

A stealthy cyber espionage campaign, which researchers say is almost certainly operated by the China-linked Winnti APT, has been ongoing and undetected since at least 2019. Its characteristics almost precisely match the FBI publication, also issued in 2019, titled China: the Risk to Corporate America (PDF).

The FBI warned that China would use cyber espionage to steal American intellectual property to help facilitate the Chinese government’s Made in China 2025 Plan. The Winnti campaign, named CuckooBees, seems purpose designed to do just that – and the CuckooBees campaign started at the same time as the FBI issued its warning.

CuckooBees was discovered by Cybereason – after years of undetected operation – when its researchers were engaged to investigate multiple intrusions targeting technology and manufacturing companies in North America, Europe, and Asia. In an analysis of the campaign, Cybereason suggests that over the years, CuckooBees has successfully exfiltrated hundreds of gigabytes of information. It further believes with medium to high confidence that CuckooBees is the work of the Chinese Winnti group (aka APT41, BARIUM, and Blackfly).

Winnti is a Chinese state-affiliated group that has existed since at least 2010 and is known for its sophistication, stealth and focus on stealing technology secrets. Mandiant described (PDF) Winnti in March 2022 as ‘a creative and well-resourced adversary’.

Cybereason’s research into the CuckooBees campaign uncovered an undocumented new malware called Deploylog, and new versions of known Winnti malware. Payload concealment and detection evasion was based on rarely seen abuse of the Windows CLFS feature. 

The infection chain and payload deployment (which Cybereason calls the Winnti Kill Chain) was implemented with a ‘house of cards’ approach, with each component depending on the others to function properly. This makes it difficult to analyze each component separately.

Winnti Kill Chain

Winnti Kill Chain in Operation CuckooBees (Image Credit: Cybereason)

Intrusion commenced through multiple vulnerabilities in the ERP platform. From there, the attackers installed persistence with a form of WebShell, and began reconnaissance and credential dumping. This allowed lateral movement ultimately resulting in sensitive data exfiltration from both critical servers and the endpoints of high-profile employees.

CuckooBees involved multiple persistence techniques. The first was to drop a VBScript version of the WebShell, execute it using wscript, and copy the result to an externally accessible folder. This is a technique that has been known since 2006 and has a strong Chinese connection. The WebShell used in this instance was almost identical to a publicly known WebShell called up_win32.jsp.

The second persistence method provided an additional backup entry point. It involved modifying the WinRM remote management protocol to enable HTTP and HTTPS listeners for remote shell access.

The third method leveraged a signed kernel rootkit, while the fourth technique abused the legitimate IKEEXT and PrintNotify Windows Services to side-load Winnti DLLs and preserve persistence.

The initial reconnaissance used built-in Windows commands to gather information on the compromised server. Once footholds on multiple machines had been established, Winnti began using Scheduled Tasks to execute batch scripts that differed between different machines, with different commands based on the attackers’ goals.

Two methods were used for credential dumping: the reg save command and an unknown tool named MFSDLL.Exe. The known reg save was used to dump the SYSTEM, SAM and SECURITY registry hives, enabling the attackers to crack password hashes locally.

Cybereason has not been able to recover a sample of MFSDLL but has learned how it was used and what it loaded. It loaded a DLL called mktzx64.dll, which has been detected separately by ESET, mentioned in its joint report with Avast on the Microceen RAT, and it may be connected with the use of Mimikatz.

Using compromised domain administrator credentials, Winnti then used scheduled tasks to execute commands on dozens of compromised machines. During this phase, the attackers were able to move laterally and infect a large number of hosts using the stolen credentials.

For data collection, the attackers used a renamed Chinese-language version of WinRAR to create password protected archives containing the stolen data. This was renamed to rundll32.exe to disguise it and silently blend in with other Windows system files.

Cybereason believes that this campaign has ended, but it cannot be certain. Assaf Dahan, senior director and head of threat research at Cybereason did point out that there are several indications that evolutions of the campaign might have been active recently. He also told SecurityWeek, “It is likely there are many more victims worldwide given the level of sophistication in the attack and the fact the campaign launched in 2019 and wasn’t discovered until last year.”

Related: More Details Emerge on Operations, Members of Chinese Group APT41

Related: U.S. Senators Introduce Bi-Partisan Bill to Counter China Hacking Threat

Related: New Law Will Help Chinese Government Stockpile Zero-Days

Related: The United States and China – A Different Kind of Cyberwar

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...