The Winnti malware family was first reported in 2013 by Kaspersky Lab¹. Since then, threat actors leveraging Winnti malware have victimized a diverse set of targets for varied motivations. While the name ‘Winnti’ in public reporting was previously used to signify a single actor, pronounced divergence in targeting and tradecraft between campaigns has led industry consensus to break up the tracking of the continued use of the Winnti malware under different actor clusters. The underlying hypothesis² is that the malware itself may be shared (or sold) across a small group of actors. In April 2019, reports³ emerged of an intrusion involving Winnti⁴ malware at a German Pharmaceutical company.
Following these reports, Chronicle researchers doubled down on efforts to try to unravel the various campaigns where Winnti was leveraged. Analysis of these larger convoluted clusters is ongoing. While reviewing a 2015 report⁵ of a Winnti intrusion at a Vietnamese gaming company, we identified a small cluster of Winnti⁶ samples designed specifically for Linux⁷. The following is a technical analysis of this variant.