Friday, May 2, 2025
HomeCyber AttackWinnti APT Hacker Group Attacks Video Gaming Companies Using PipeMon Malware

Winnti APT Hacker Group Attacks Video Gaming Companies Using PipeMon Malware

Published on

SIEM as a Service

Follow Us on Google News

Winnti group has been active at least since 2012 and specializes in cyberattacks against the online video game industry. The main goal of the hacker group is to steal the source code of online game projects as well as digital certificates.

The group is also responsible for high-profile supply-chain attacks against software companies that result in the distribution of trojanized software.

Winnti Group Attacks

Starting from 2019, the Winnti group started using PipeMon malware since 2019, to compromise various software companies.

- Advertisement - Google News

ESET researchers observed that the current campaign targets video game developers who developing MMO (Massively Multiplayer Online) games based in South Korea and Taiwan.

The attacker tries to compromise the company’s build orchestration server which allows attackers to take control of the automated build systems. This would allow attackers to include arbitrary code of their choice in the video game executables.

ESET observed that the certificate used to sign the PipeMon installer, modules, and additional tools is linked to a video game company that was compromised in a supply-chain attack in late 2018 by the Winnti Group and was likely stolen at that time.

The first stage of the malware is a password-protected RARSFX executable and the password is different from each sample.

Winnti APT Hacker Group

Once the password-protected file sis extracted, setup.exe main executable get’s executed, it’s purpose is to load the setup.dll file.

Following are the files with RARSFX

  • rLnc.dat – Encrypted payload
  • Duser.dll – Used for UAC bypass
  • osksupport.dll – Used for UAC bypass
  • PrintDialog.dll – Used for the malicious print processor initialization
  • PrintDialog.exe – Legitimate Windows executable used to load PrintDialog.dll
  • setup.dll – Installation DLL
  • setup.exe – Main executable

To maintain the persistence setup.dll registers the malicious DLL loader as an alternative Print Processor by adding registry keys.

Once it got registered it restarts the print spooler service (spoolsv.exe) so that the malicious DLL loader loads every time when spoolsv.exe starts.

C&C Communication

The module was named PipeMon as it contains inter-module communication, to its PDB path, and the name of the Visual Studio project named by developers.

ESET researchers observed that “Inter-module communication is performed via named pipes, using two named pipes per communication channel between each individual module, one for sending and one for receiving.”

The communication module with loader responsible for establishing C&C communication, all the data transferred are encrypted using RC4 with the hardcoded key Com!123Qasdz.

To initiate C&C communication following are the details shared first includes;

  • OS version
  • Physical addresses of connected network adapters concatenated with %B64_TIMESTAMP%
  • the victim’s local IP address
  • backdoor version/campaign ID; we’ve observed the following values
  • “1.1.1.4beat”
  • “1.1.1.4Bata”
  • “1.1.1.5”
  • Victim computer name

The malware modules are signed with Stolen valid code-signing certificate, now the certificate was revoked by the user after notification from ESET.

The new attack shows that Winnti Group uses a new set of tools using multiple open-source projects and they are targeting Massively Multiplayer Online developer companies.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers...

Application Security In 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Preparing for Quantum Cybersecurity Risks – CISO Insights

Quantum cybersecurity risks represent a paradigm shift in cybersecurity, demanding immediate attention from Chief...

Securing Digital Transformation – CISO’s Resource Hub

In today’s hyper-connected world, securing digital transformation is a technological upgrade and a fundamental...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

TheWizards Deploy ‘Spellbinder Hacking Tool’ for Global Adversary-in-the-Middle Attack

ESET researchers have uncovered sophisticated attack techniques employed by a China-aligned threat actor dubbed...