3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Winnti Group

Winnti Group

ID: 8908b96c35d959daadee58888ff5d94922866
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Signed Malware
China UNKNOWN
Updated: 2026-01-13
Created: 2025-10-22
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
BARIUM LEAD
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group. Ref: https://attack.mitre.org/groups/G0044/


Technique Technique name Tactics Evidence
T1553.002 Code Signing TA0005
  • Subvert Trust Controls: Code Signing - Winnti Group used stolen certificates to sign its malware. · ref
T1583.001 Domains TA0042
  • Acquire Infrastructure: Domains - Winnti Group has registered domains for C2 that mimicked sites of their intended targets. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.