Security Experts:

Connect with us

Hi, what are you looking for?



Winnti Group Uses GitHub for C&C Communications

The China-linked threat group known as Winnti has been abusing GitHub for command and control (C&C) communications, Trend Micro reported on Wednesday.

The China-linked threat group known as Winnti has been abusing GitHub for command and control (C&C) communications, Trend Micro reported on Wednesday.

Winnti, mainly known for financially-motivated espionage campaigns aimed at the online gaming industry, has been around since at least 2007. A majority of the threat actor’s victims are located in Southeast Asia.

Trend Micro has been monitoring the group and discovered that its malware connected to a GitHub account in order to obtain the exact location of C&C servers.

Winnti has continued to use PlugX, a RAT that is often leveraged by Chinese threat actors, but experts also discovered what appears to be a new backdoor (BKDR64_WINNTI.ONM).

The malware checks an HTML page stored in a GitHub project. The file contains an encrypted string that hides the IP address and port number for the C&C server. The information was encrypted via an algorithm known to be used by PlugX and other algorithms derived from it.

According to Trend Micro, the GitHub project used by Winnti was created in May 2016 and it was first used for C&C communications in August 2016. Experts believe the GitHub account was likely created by the attackers themselves and not hijacked from its original owner.

Between August 17 and March 12, Trend Micro noticed nearly two dozen C&C server IP and port combinations. Researchers said a majority of the servers were located in the United States, and two in Japan.

One user pointed out on Reddit that the C&C servers appear to be hosted by Krypt Technologies, whose services have often been abused for botnets and other threats.

As for the new Winnti backdoor, the malware uses a loader that leverages a modified version of a Microsoft registry tool (loadperf.dll) and the WMI performance adapter service in Windows (wmiAPSrv). The loader imports and decrypts the main payload and loads it into memory.

“Abusing popular platforms like GitHub enables threat actors like Winnti to maintain network persistence between compromised computers and their servers, while staying under the radar,” explained Trend Micro threat researcher Cedric Pernet. “Although Winnti may still be employing traditional malware, its use of a relatively unique tactic to stay ahead of the threat landscape’s curve reflects the increased sophistication that threat actors are projected to employ.”

Related: Winnti Spies Use Bootkit for Persistence, Distributing Backdoors

Related: “Wekby” Group Uses DNS Requests for C&C Communications

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...