The China-linked APT group Winnti (APT41) has been linked to a new cyber espionage campaign, RevivalStone, targeting Japanese manufacturing, materials, and energy companies in March 2024. The attack, detailed by LAC, exploited an SQL injection vulnerability in an unspecified ERP system to deploy web shells (China Chopper, Behinder) for initial access, reconnaissance, and credential harvesting. From there, attackers moved laterally and breached a Managed Service Provider (MSP), using it to propagate malware to three additional organizations. Winnti leveraged an advanced custom toolset, including DEATHLOTUS (CGI backdoor), CUNNINGPIGEON (Graph API backdoor), PRIVATELOG (malware loader), WINDJAMMER (rootkit), and SHADOWGAZE (passive IIS backdoor), allowing for persistence, covert communication, and remote control. The campaign also introduced an updated version of Winnti malware (Winnti v5.0) with improved obfuscation, encryption, and security evasion.
Winnti has a long history of supply chain attacks and stealthy cyber operations, often targeting critical industries in the Asia-Pacific region. The RevivalStone campaign aligns with China's strategic cyber objectives, reinforcing its focus on long-term espionage and data exfiltration. The attackers leveraged TreadStone, a controller for managing Winnti malware (previously found in the I-Soon leak), and StoneV5, possibly indicating Winnti v5.0. This campaign highlights the group's adaptability and evolving tactics, particularly its ability to bypass security defenses and exploit enterprise technologies like ERP systems, IIS web servers, and MSP infrastructures. Meanwhile, Fortinet reported a separate but related Linux-based SSHDInjector malware used by Daggerfly (Evasive Panda), another Chinese APT group, showcasing the increasing sophistication of Chinese nation-state cyber threats.