Investigating Wintti Group Activity: Shadowpad, xDLL Backdoors and New Attack Development Tools

4 min

In March 2020, as part of the study of information security threats, experts PT Expert Security Center discovered a previously unknown backdoor and named it xDll, after its original name in the code. Due to a configuration error on the control server, some of the directories have become accessible from the outside.

New malware samples were found on the server, including the Shadowpad backdoor, xDll backdoor, previously unknown Python backdoor, attack development utilities, etc. It was Shadowpad that made it possible to link the new backdoor and discovered tools with the Winnti cyber group and analyze the possible connection of this group with other large-scale cyber attacks.

The full version of the study is available at linkand in this article we list the main facts and conclusions.

Winnti and ShadowPad who are attacked by hackers

The ShadowPad backdoor is used by the Winnti group (APT41, BARIUM, AXIOM), which has been active since at least 2012. Group comes from China and belongs to the government sponsored class… The group’s key interests are espionage and financial gain. The main arsenal of the group consists of proprietary malware. Winnti uses sophisticated attack methods, including supply chain and watering hole.

The group attacks companies and organizations around the world, including Russia, USA, Japan, South Korea, Germany, Mongolia, Belarus, India, Brazil, etc.

The victims of cybercriminals include companies and organizations from industries such as aerospace, energy, software development, pharmaceuticals, finance, telecommunications, and others.

First attack using ShadowPad was recorded in 2017. The backdoor is often used in supply chain attacks (such as hacking CCleaner and ASUS). Last report about Winnti group activity using ShadowPad was released by ESET in January 2020.

How we detected hacker activity

At first, when analyzing the xDll backdoor (see Section 2.2), we could not find an explicit membership in any APT group. The sample had a very interesting control server www.g00gle_jp.dynamic-dns[.]net, which could potentially indicate attacks on Japan. While researching the network infrastructure and looking for similar patterns, we found several domains with similar names.

The domain names suggest that attacks also target South Korea, Mongolia, Russia and the United States. Upon further investigation of the infrastructure, we discovered several simple, unknown bootloaders that contact the linked control servers and in response should receive a payload encrypted using the XOR operation on the 0x37 key. We named the downloader we found SkinnyD (Skinny Downloader) because of its small size and poor functionality. In terms of the URL structure and some lines, SkinnyD was very similar to the xDll backdoor.

Initially, we were unable to get the payload for SkinnyD as all the control servers were inactive. But after a while we managed to find new samples of the xDll backdoor. While analyzing one of them, we found open folders on its control server. The file named x.jpg is an xDll backdoor, encrypted using the XOR operation on the 0x37 key. This suggests that xDll is the payload for SkinnyD.

Open directory structure on the discovered server
Open directory structure on the discovered server

The most interesting content on the server turned out to be the contents of the cache folder.

The contents of the cache folder
The contents of the cache folder

It contains data on victims and malware that is downloaded to the infected computer. The name of the victim’s file contains the MD5 hash from the MAC address of the infected computer, which is sent by xDll, and in the contents you can see the last time of connection with the control server. By the way the second part of the name of the malware file changes, it can be assumed that the server time in nanoseconds is put in it, but it is not correct: it takes us back to the distant March 1990. Why such a period of time was taken is unknown to us.

In the files with the malware, we found ShadowPad, a previously unknown Python backdoor and utilities for attack development.

The aftermath of cyber attacks

According to data from the server, more than 50 machines are infected. We were unable to establish the exact location and industry affiliation of all of them. However, by correlating the time of the last connection of the infected PC to the server and the time we received the file with this time, we can make a map of the time zones.

We were able to identify some of the compromised organizations:

  • university in the USA,

  • audit company in Holland,

  • two construction companies – one in Russia, the other in China,

  • five software development firms: one in Germany, four in Russia.

All potential victims were notified through national CERTs.

Considering that ShadowPad was used in supply chain attacks through suppliers Software, and we know about the compromise of at least five software developers, it can be argued that either we are dealing with preparations for the next malware distribution, or the attack is already in an active phase.


We analyzed the infrastructure of the Winnti group, and we can conclude that activity has been going on in it since the beginning of 2019. Currently, this infrastructure is only growing, which speaks of the active actions of Winnti. Some of the machines compromised by hackers can serve as a “springboard” for subsequent, more serious attacks. The group added several new types of malware to its arsenal – SkinnyD, xDll, Python backdoor.

In particular, we found related domains previously used during attacks on organizations in Russia, Belarus, South Korea and Japan, which were then believed to be carried out by the TA459 and Tonto team. In addition, infrastructural intersections with the Nettraveler group were identified.

Of course, the fact of reusing the infrastructure of another group to mask activity (a kind of lease of infrastructure) is not excluded, however, the area of ​​attacks, geographic and sectoral referencing largely overlap with the area of ​​interest of the Winnti group, therefore, based on indirect signs, it can be assumed that behind all these the attacks are actually the same group of cybercriminals. Attribution details are presented in full version of the study

The dramatically increased activity of the group may also be associated with the coronavirus epidemic. Many companies have sent their employees to work remotely, and at the same time, our data, 80% of employees use home computers for work. It turns out that many workers are outside the reach of corporate defenses and security policies. This makes them a very vulnerable target.

We continue to monitor the activity of the Winnti group and do not expect the group to decrease its activity. After a while, we may face a new attack similar to the CCleaner and ASUS hack.


Leave a Reply