Winnti is a trojan typically used by a Chinese advanced persistent threat (APT) group of the same name. The Winnti trojan was first identified in 2011 when it was found on multiple computers from private companies around the world that had been used to download popular online games. It was determined that cybercriminals targeted the companies that develop and release computer games and used the malware to infect end-user systems through malicious updates for popular online games. The malware found on one of the update servers contained a DLL library made for a 64-bit Windows environment and a properly signed malicious driver. The DLL contained a backdoor payload for a remote access trojan (RAT) which gave the attackers the ability to remotely control the victim’s computer without his knowledge. This malicious module was the first time researchers observed a trojan application for 64-bit Windows with a valid digital signature. Winnti has been used to target many nations, with a focus on Southeast Asian organizations in the video gaming sector; however, more recently, it was used in attacks targeting organizations in other sectors.


  • May 2013: Winnti trojan uses the Adheadlib analysis tool to mimic a legitimate system library. (Softpedia)

  • January 2015: Winnti trojan may have been used in conjunction with the new malware, “Skeleton Key.” (SC Magazine)

  • June 2015: Cybercriminals target European Pharmaceutical business using Winnti malware. (Softpedia)

  • May 2019: Security Researchers Discover Linux Version of Winnti Malware. (ZDNet)

Technical Details

  • Securelist provides technical details on the Winnti trojan, available here.