Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Target South Korean Gaming Company

South Korean video gaming company Gravity is the latest victim of the China-linked threat actor tracked as the Winnti Group, security researchers say.

South Korean video gaming company Gravity is the latest victim of the China-linked threat actor tracked as the Winnti Group, security researchers say.

Active since at least 2009 and operating under the same umbrella as Axiom, Barium, Group 72, Blackfly, and APT41, the threat group is known for the targeting of organizations in the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

Over the past half year, the adversary was observed employing various new backdoors in attacks, including PortReuse and the Microsoft SQL-targeting skip-2.0, along with a new variant of the ShadowPad backdoor.

In a report released earlier this month, BlackBerry security researchers revealed that the Winnti Group, along with other China-linked cyber-espionage groups — this includes PASSCV, BRONZE UNION (EMISSARY PANDA), CASPER (LEAD), and WLNXSPLINTER — have been systematically targeting Linux servers for years.

This week, QuoIntelligence (QuoINT) published a report claiming that the Winnti hackers have targeted South Korean video gaming company Gravity, which is best known for the massive multiplayer online role-playing game (MMORPG) Ragnarok Online.

A sample resembling a Winnti dropper previously described by ESET was submitted to a public online malware scanning service, and analysis of the binary revealed the potential targeting, QuoINT’s security researchers say.

“[W]e were able to extract the malware’s configuration file and identify the intended target. […] Based on previous knowledge and targeting of the Winnti Group, we assess that this sample was likely used to target Gravity Co., Ltd., a South Korean video game company,” QuoINT says.

Previous reporting on the Winnti hackers also revealed a command and control (C&C) server associated with the campaign identifier GRA KR 0629, which might be related to the recently identified attack, although no further evidence to support the link has been discovered.

QuoINT also discovered that the Winnti Group targeted a chemicals company in Germany earlier this year, with a malware sample apparently built in 2015. The same as the sample purportedly aimed at Gravity, this malware variant had the target’s name embedded in the code.

The attack on the German company involved the use of a binary to bypass driver verification and install the attackers’ drivers, a vulnerable VirtualBox driver, and rootkit drivers. The attackers relied on DNS tunneling for C&C communication.

“The Winnti Group has exhibited their ability to breach different organizations and conduct sophisticated attack operations, typically motivated by espionage and financial gain, with various TTPs and malware toolkits. While attribution is not concrete due to the complexity of the group, there are links that can be drawn between operations which suggest the threat actors purporting the attacks are likely operating within the Winnti Group, or at least sharing resources,” QuoINT concludes.

Related: China-Linked Hackers Systematically Targeted Linux Servers for Years

Related: Chinese Hackers Target Hong Kong Universities With New Backdoor Variant

Related: Researchers Find New Backdoor Used by Winnti Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack