Connect with us

Hi, what are you looking for?


Malware & Threats

Winnti Spies Use Bootkit for Persistence, Distributing Backdoors

While monitoring the activities of the advanced persistent threat (APT) actor known as Winnti, researchers at Kaspersky Lab discovered a new platform that the group has been using to maintain persistence on infected systems and deliver backdoors.

While monitoring the activities of the advanced persistent threat (APT) actor known as Winnti, researchers at Kaspersky Lab discovered a new platform that the group has been using to maintain persistence on infected systems and deliver backdoors.

The Winnti group, which has been around since at least 2009, was discovered by security researchers in 2012. The actor’s industrial cyberespionage operations have been aimed at software companies, particularly ones in the gaming sector.

The group is believed to be based in China and a majority of its victims are located in Southeast Asia, but the list of targets also includes gaming companies in Germany, the United States, Japan, China, Russia, Brazil, Peru, and Belarus. Kaspersky noticed recently that Winnti has also targeted businesses in the pharmaceutical industry.

Researchers recently discovered an active threat that the Winnti group has been using as an attack platform for infecting the systems of organizations in South Korea and other countries. The threat, dubbed “HDRoot,” is based on a bootkit installer named “HDD Rootkit” that was developed in 2006.

The HDRoot bootkit attracted the attention of experts because it had been protected with VMProtect, a commercial application designed to protect software against reversing and cracking, and it had been signed with a compromised digital certificate issued to a Chinese company named Guangzhou YuanLuo Technology. This certificate had been previously used by Winnti to sign its tools.

HDRoot also caught the eye of experts because it was disguised to look like Microsoft’s Net.exe utility, most likely in an effort to avoid raising suspicion.

According to Kaspersky, HDRoot appears to be a platform designed to provide attackers sustainable and persistent access to the targeted system, and allow them to deliver backdoors.

The security firm identified two backdoors delivered by HDRoot, one of which was capable of bypassing antiviruses developed by AhnLab and ESTsoft. Since the targeted products are popular in South Korea, experts believe the backdoor was specifically created to target computers in this country. While South Korea appears to be one of Winnti’s main targets, Kaspersky has also spotted one infection in the United Kingdom and one in Russia, both at companies that had previously been attacked by the threat group.

Advertisement. Scroll to continue reading.

In a blog post published on Tuesday, Dmitry Tarakanov, senior security researcher at Kaspersky Lab, pointed out that HDRoot’s level of sophistication is lower than one would expect from an APT actor such as Winnti. According to the expert, the platform’s developers have made some mistakes that could lead to the threat being discovered on infected devices.

“The most important goal for any APT-actor is to stay under the radar, to remain in the shadow. That’s why we rarely see any complicated code encryption, because that would attract attention,” Tarakanov explained. “The Winnti group took a risk, because it probably knows from experience which signs should be covered-up and which ones can be overlooked because organizations don’t always apply all the best security policies all of the time. System administrators have to keep on top of many things, and if the team is small, the chance that cybercriminal activity will remain undetected is even higher.”

Since HDRoot is based on a tool released in 2006, experts believe that the developer of HDD Rootkit either joined Winnti when the group was formed in 2009, or Winnti simply leverages third-party software, possibly acquired on the underground market.

HDRoot is still active and its authors have been working on releasing new variants since Kaspersky’s products started detecting the threat.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.