Level 9
The China-linked threat group tracked as Winnti was observed using a new variant of the ShadowPad backdoor in recent attacks targeting Hong Kong universities, ESET’s security researchers report.

Believed to have been active since at least 2009, the Winnti Group is operating under the same umbrella as Axiom, Barium, Group 72, Blackfly, and APT41, targeting the aviation, gaming, pharmaceuticals, technology, telecommunication, and software development sectors in industrial cyber-espionage campaigns.

In October last year, ESET detailed two new backdoors employed by the hackers, namely PortReuse and the Microsoft SQL-targeting skip-2.0.

One month later, the security researchers discovered a new campaign run by the Chinese hackers, targeting two Hong Kong universities with a new variant of the ShadowPad backdoor, the group’s flagship tool.
A few weeks prior to discovering the backdoor, the Winnti malware was found on computers at these universities.
Campaign identifiers and command and control (C&C) URLs used in these malware samples featured the names of the universities, suggesting a targeted attack. Moreover, the C&C URL format used led the researchers to believe that at least three other Hong Kong universities may have been compromised.
Responding to a SecurityWeek inquiry, ESET researcher Mathieu Tartare revealed that the company did provide assistance to some of the affected universities in remediating the compromise.