winnti-returns-with-plugx

Winnti returns with PlugX

Continuing our investigation into Winnti, in this post we describe how the group tried to re-infect a certain gaming company and what malware they used. In the course of our efforts to remove the infection, the gaming company sent us suspicious files that were appearing on their computers. Many of these files were samples of Winnti malware. Read Full Article

the-winnti-honeypot-luring-intruders

The Winnti honeypot – luring intruders

During our research on the Winnti group we have managed to discovered quite a considerable amount of Winnti samples targeting different gaming companies. With the help ofUsing thisat sophisticatedcomplicated malicious program cybercriminals gained remote access to infected workstations and then carried out further they activityed manually. Read Full Article

winnti-more-than-just-a-game

Winnti. More than just a game

In the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group was named “Winnti”. According to our estimations, this group has been active for several years and specializes in cyberattacks against the online video game industry. Read Full Article

operation-shadowhammer

Operation ShadowHammer

Operation ShadowHammer is a newly discovered supply chain attack that leveraged ASUS Live Update software. While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore, we would like to share some important details about the attack. Read Full Article

apt-review-of-the-year

APT review of the year

What were the most interesting developments in terms of APT activity throughout the year and what can we learn from them? Not an easy question to answer. Still, with the benefit of hindsight, let’s try to approach the problem from different angles to get a better understanding of what went on. Read Full Article

shadowpad-in-corporate-networks

ShadowPad in corporate networks

In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The source of the queries was a software package produced by NetSarang. Our analysis showed that recent versions of the software had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker. Read Full Article