Summary: Winnti, a China-affiliated threat actor, has initiated a new cyber campaign named RevivalStone, targeting Japanese companies in manufacturing, materials, and energy sectors. The group has leveraged vulnerabilities in applications, notably IBM Lotus Domino, to deploy advanced malware and exploit SQL injection vulnerabilities. Researchers expect Winnti to continue evolving its malware with enhanced features to further its cyber espionage activities in the Asia-Pacific region.
Affected: Japanese manufacturing, materials, and energy companies
Keypoints :
- Winnti has been active since 2012 but only recently targeted Asian sectors.
- The group overlaps with Earth Freybug, a subset of APT41, indicating a complex attack landscape.
- New malware includes improved obfuscation and encryption, designed to evade security measures.
- Exploitation of vulnerabilities in enterprise applications enables deeper access to networks.
- Winnti malware capabilities allow for further breaches, including against managed service providers.