Winnti Threat Group Targets Japanese Firms in New "RevivalStone" Cyber Campaign

The China-affiliated cyber threat actor Winnti has been linked to a newly identified attack campaign, RevivalStone, which is specifically targeting Japanese companies in the manufacturing, materials, and energy sectors.

Winnti Expands Focus to Asian Manufacturing

Active since at least 2012, Winnti has recently intensified its efforts against Asian manufacturing and materials industries. Cybersecurity researchers at LAC have found notable overlaps between Winnti’s operations and Earth Freybug, a subgroup of APT41, a well-known Chinese cyber-espionage collective.

Exploiting Software Vulnerabilities for Intrusion

Winnti has been observed taking advantage of security weaknesses in enterprise applications, including:

✔ IBM Lotus Domino
✔ Enterprise resource planning (ERP) systems

Using these vulnerabilities, the group deploys various malware strains, including:

???? DEATHLOTUS
???? UNAPIMON
???? PRIVATELOG
???? CUNNINGPIGEON
???? WINDJAMMER
???? SHADOWGAZE

SQL Injection and Web Shell Deployment

LAC researchers also discovered that Winnti is leveraging SQL injection vulnerabilities within ERP systems to deploy Web shells on compromised servers. Once inside, the group steals credentials, conducts reconnaissance, and delivers the updated Winnti malware, which has been enhanced with:

???? Advanced obfuscation techniques
???? Stronger encryption algorithms
???? Improved evasion of security defenses

Expanding Attack Capabilities

The latest Winnti malware variant is more sophisticated, enabling it to further infiltrate managed service providers (MSPs), potentially expanding the scope of their attacks.

"This new Winnti malware includes enhanced obfuscation, updated encryption methods, and improved security evasion techniques. We anticipate continued updates and deployments of this malware in future attacks," stated LAC researchers.

With its evolving toolkit, Winnti remains a significant cyber threat, particularly to organizations in the Asia-Pacific region. Businesses must prioritize patching vulnerabilities, strengthening cybersecurity defenses, and monitoring for unusual network activity to mitigate the risks posed by this advanced state-sponsored actor.