Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Target South Korean Gaming Company

South Korean video gaming company Gravity is the latest victim of the China-linked threat actor tracked as the Winnti Group, security researchers say.

South Korean video gaming company Gravity is the latest victim of the China-linked threat actor tracked as the Winnti Group, security researchers say.

Active since at least 2009 and operating under the same umbrella as Axiom, Barium, Group 72, Blackfly, and APT41, the threat group is known for the targeting of organizations in the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

Over the past half year, the adversary was observed employing various new backdoors in attacks, including PortReuse and the Microsoft SQL-targeting skip-2.0, along with a new variant of the ShadowPad backdoor.

In a report released earlier this month, BlackBerry security researchers revealed that the Winnti Group, along with other China-linked cyber-espionage groups — this includes PASSCV, BRONZE UNION (EMISSARY PANDA), CASPER (LEAD), and WLNXSPLINTER — have been systematically targeting Linux servers for years.

This week, QuoIntelligence (QuoINT) published a report claiming that the Winnti hackers have targeted South Korean video gaming company Gravity, which is best known for the massive multiplayer online role-playing game (MMORPG) Ragnarok Online.

A sample resembling a Winnti dropper previously described by ESET was submitted to a public online malware scanning service, and analysis of the binary revealed the potential targeting, QuoINT’s security researchers say.

“[W]e were able to extract the malware’s configuration file and identify the intended target. […] Based on previous knowledge and targeting of the Winnti Group, we assess that this sample was likely used to target Gravity Co., Ltd., a South Korean video game company,” QuoINT says.

Previous reporting on the Winnti hackers also revealed a command and control (C&C) server associated with the campaign identifier GRA KR 0629, which might be related to the recently identified attack, although no further evidence to support the link has been discovered.

QuoINT also discovered that the Winnti Group targeted a chemicals company in Germany earlier this year, with a malware sample apparently built in 2015. The same as the sample purportedly aimed at Gravity, this malware variant had the target’s name embedded in the code.

The attack on the German company involved the use of a binary to bypass driver verification and install the attackers’ drivers, a vulnerable VirtualBox driver, and rootkit drivers. The attackers relied on DNS tunneling for C&C communication.

“The Winnti Group has exhibited their ability to breach different organizations and conduct sophisticated attack operations, typically motivated by espionage and financial gain, with various TTPs and malware toolkits. While attribution is not concrete due to the complexity of the group, there are links that can be drawn between operations which suggest the threat actors purporting the attacks are likely operating within the Winnti Group, or at least sharing resources,” QuoINT concludes.

Related: China-Linked Hackers Systematically Targeted Linux Servers for Years

Related: Chinese Hackers Target Hong Kong Universities With New Backdoor Variant

Related: Researchers Find New Backdoor Used by Winnti Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...