Security Experts:

Connect with us

Hi, what are you looking for?



Winnti Group Uses GitHub for C&C Communications

The China-linked threat group known as Winnti has been abusing GitHub for command and control (C&C) communications, Trend Micro reported on Wednesday.

The China-linked threat group known as Winnti has been abusing GitHub for command and control (C&C) communications, Trend Micro reported on Wednesday.

Winnti, mainly known for financially-motivated espionage campaigns aimed at the online gaming industry, has been around since at least 2007. A majority of the threat actor’s victims are located in Southeast Asia.

Trend Micro has been monitoring the group and discovered that its malware connected to a GitHub account in order to obtain the exact location of C&C servers.

Winnti has continued to use PlugX, a RAT that is often leveraged by Chinese threat actors, but experts also discovered what appears to be a new backdoor (BKDR64_WINNTI.ONM).

The malware checks an HTML page stored in a GitHub project. The file contains an encrypted string that hides the IP address and port number for the C&C server. The information was encrypted via an algorithm known to be used by PlugX and other algorithms derived from it.

According to Trend Micro, the GitHub project used by Winnti was created in May 2016 and it was first used for C&C communications in August 2016. Experts believe the GitHub account was likely created by the attackers themselves and not hijacked from its original owner.

Between August 17 and March 12, Trend Micro noticed nearly two dozen C&C server IP and port combinations. Researchers said a majority of the servers were located in the United States, and two in Japan.

One user pointed out on Reddit that the C&C servers appear to be hosted by Krypt Technologies, whose services have often been abused for botnets and other threats.

As for the new Winnti backdoor, the malware uses a loader that leverages a modified version of a Microsoft registry tool (loadperf.dll) and the WMI performance adapter service in Windows (wmiAPSrv). The loader imports and decrypts the main payload and loads it into memory.

“Abusing popular platforms like GitHub enables threat actors like Winnti to maintain network persistence between compromised computers and their servers, while staying under the radar,” explained Trend Micro threat researcher Cedric Pernet. “Although Winnti may still be employing traditional malware, its use of a relatively unique tactic to stay ahead of the threat landscape’s curve reflects the increased sophistication that threat actors are projected to employ.”

Related: Winnti Spies Use Bootkit for Persistence, Distributing Backdoors

Related: “Wekby” Group Uses DNS Requests for C&C Communications

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.