Threat Actor Profile
High
APT
Description
Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.(Citation: 401 TRG Winnti Umbrella May 2018)
Confidence Score
Known Aliases
Winnti Group
Blackfly
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (6)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Winnti Group', 'Blackfly'],
'created': '2017-05-31T21:32:08.682Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Winnti Group](https://attack.mitre.org/groups/G0044) is a '
'threat group with Chinese origins that has been active since '
'at least 2010. The group has heavily targeted the gaming '
'industry, but it has also expanded the scope of its '
'targeting.(Citation: Kaspersky Winnti April 2013)(Citation: '
'Kaspersky Winnti June 2015)(Citation: Novetta Winnti April '
'2015) Some reporting suggests a number of other groups, '
'including [Axiom](https://attack.mitre.org/groups/G0001), '
'[APT17](https://attack.mitre.org/groups/G0025), and '
'[Ke3chang](https://attack.mitre.org/groups/G0004), are '
'closely linked to [Winnti '
'Group](https://attack.mitre.org/groups/G0044).(Citation: 401 '
'TRG Winnti Umbrella May 2018)',
'external_references': [{'external_id': 'G0044',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0044'},
{'description': '(Citation: Kaspersky Winnti April '
'2013) (Citation: Kaspersky Winnti '
'June 2015)',
'source_name': 'Winnti Group'},
{'description': '(Citation: Symantec Suckfly March '
'2016)',
'source_name': 'Blackfly'},
{'description': 'DiMaggio, J. (2016, March 15). '
'Suckfly: Revealing the secret life '
'of your code signing certificates. '
'Retrieved August 3, 2016.',
'source_name': 'Symantec Suckfly March 2016',
'url': 'http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates'},
{'description': 'Hegel, T. (2018, May 3). Burning '
'Umbrella: An Intelligence Report on '
'the Winnti Umbrella and Associated '
'State-Sponsored Attackers. Retrieved '
'July 8, 2018.',
'source_name': '401 TRG Winnti Umbrella May 2018',
'url': 'https://401trg.github.io/pages/burning-umbrella.html'},
{'description': "Kaspersky Lab's Global Research and "
'Analysis Team. (2013, April 11). '
'Winnti. More than just a game. '
'Retrieved February 8, 2017.',
'source_name': 'Kaspersky Winnti April 2013',
'url': 'https://securelist.com/winnti-more-than-just-a-game/37029/'},
{'description': 'Novetta Threat Research Group. '
'(2015, April 7). Winnti Analysis. '
'Retrieved February 8, 2017.',
'source_name': 'Novetta Winnti April 2015',
'url': 'https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf'},
{'description': 'Tarakanov, D. (2015, June 22). Games '
'are over: Winnti is now targeting '
'pharmaceutical companies. Retrieved '
'January 14, 2016.',
'source_name': 'Kaspersky Winnti June 2015',
'url': 'https://securelist.com/games-are-over/70991/'}],
'id': 'intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff',
'modified': '2025-04-16T20:37:35.689Z',
'name': 'Winnti Group',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Edward Millington'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.2'}