Winnti for Windows
MITRE
Malware Type:
Other
Other
First seen:
Unknown
Unknown
Last seen:
Unknown
Unknown
Details:
[Winnti for Windows](https://attack.mitre.org/software/S0141) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019)
Associated Techniques (22)
| ID | ATT&CK | Tactics |
|---|---|---|
| T1027.013 | Encrypted/Encoded File | - |
| T1027.015 | Compression | - |
| T1036.005 | Match Legitimate Resource Name or Location | - |
| T1057 | Process Discovery | - |
| T1070.004 | File Deletion | - |
| T1070.006 | Timestomp | - |
| T1071.001 | Web Protocols | - |
| T1082 | System Information Discovery | - |
| T1083 | File and Directory Discovery | - |
| T1090.001 | Internal Proxy | - |
| T1090.002 | External Proxy | - |
| T1095 | Non-Application Layer Protocol | - |
| T1105 | Ingress Tool Transfer | - |
| T1106 | Native API | - |
| T1140 | Deobfuscate/Decode Files or Information | - |
Used by Actors (2)
Metadata
| ID: | 583 |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |