A sophisticated cyber espionage campaign dubbed RevivalStone has been attributed to the notorious China-linked threat actor Winnti (APT41), targeting Japanese companies in the manufacturing, materials, and energy sectors in March 2024.
According to cybersecurity firm LAC, this latest campaign aligns with multiple threat clusters, including Earth Freybug (Trend Micro), Operation CuckooBees (Cybereason), and Blackfly (Symantec). Winnti, a highly skilled cyber espionage and supply chain attack group, employs advanced stealth tactics and a custom toolset to evade security measures, exfiltrate sensitive data, and maintain persistent remote access.
Winnti's Strategic Cyber Attacks
LAC’s analysis highlights how Winnti's cyber operations are closely aligned with China's strategic interests, targeting a diverse range of public and private industries worldwide.
Key tactics observed include:
Winnti malware with a unique rootkit for covert communication and manipulation.
Use of stolen, legitimate digital certificates to sign malware, enhancing stealth and credibility.
Targeting vulnerabilities in public-facing applications, particularly IBM Lotus Domino, to infiltrate APAC organizations.
RevivalStone: Advanced Malware Arsenal
Between November 2023 and October 2024, Winnti leveraged multiple malware variants in its attacks, including:
DEATHLOTUS – A stealthy CGI backdoor enabling file creation and command execution.
UNAPIMON – A C++-based defense evasion tool.
PRIVATELOG – A sophisticated loader delivering Winnti RAT (DEPLOYLOG) and a kernel-level rootkit (WINNKIT).
CUNNINGPIGEON – A Microsoft Graph API-based backdoor for file management, process execution, and proxy operations.
WINDJAMMER – A rootkit intercepting TCP/IP traffic and creating covert channels.
SHADOWGAZE – A passive backdoor reusing IIS web server ports.
Attack Chain & Lateral Movement
LAC’s latest findings reveal that Winnti exploited an SQL injection vulnerability in an unspecified enterprise resource planning (ERP) system, allowing the deployment of China Chopper and Behinder (Bingxia/IceScorpion) web shells. This foothold facilitated:
Reconnaissance and credential harvesting.
Lateral movement within the compromised network.
Deployment of an enhanced version of Winnti malware.
The attackers also infiltrated a Managed Service Provider (MSP) via a shared account, leveraging its infrastructure to propagate malware to three additional organizations.
New Findings: TreadStone & StoneV5
Researchers Takuma Matsumoto and Yoshihiro Ishikawa from LAC identified TreadStone and StoneV5 references in the RevivalStone campaign. TreadStone appears to be a malware controller linked to Winnti, while StoneV5 suggests an upgraded version, possibly Winnti v5.0.
Evolution of Winnti: Future Threat Landscape
The latest Winnti malware includes obfuscation, updated encryption algorithms, and advanced evasion techniques. Researchers anticipate further enhancements in Winnti’s capabilities, making cyber defense more challenging.
Emerging Threat: SSHDInjector & Daggerfly Espionage
The Fortinet FortiGuard Labs report has uncovered a parallel Linux-based malware suite, SSHDInjector, deployed by another Chinese state-sponsored hacking group, Daggerfly (Bronze Highland / Evasive Panda). This malware hijacks SSH daemons on network appliances for persistent access and covert exfiltration, enabling:
Process enumeration
File operations
Remote command execution
Conclusion: Strengthening Cyber Resilience
With Winnti APT41 ramping up its cyber espionage efforts, organizations must prioritize:
Proactive threat intelligence and real-time monitoring.
Regular patching of public-facing applications.
Advanced endpoint detection and response (EDR) solutions.
Zero-trust security models to prevent lateral movement.
Cyber defenders must stay vigilant as threat actors continue to refine their tactics, leveraging stealth, persistence, and advanced malware to conduct large-scale espionage.