Listen to this Post
In March 2024, a new cyber espionage campaign, dubbed “RevivalStone,” linked to the China-based threat actor Winnti, surfaced with significant ramifications. The attack primarily targeted Japanese businesses in sectors like manufacturing, materials, and energy. Security experts from LAC, a Japanese cybersecurity company, uncovered the campaign, which closely aligns with a threat cluster known as Earth Freybug by Trend Micro, and various other aliases tied to the APT41 cyber espionage group. This new operation highlights the ongoing persistence of APT41, a highly skilled threat group capable of executing both espionage and supply chain poisoning operations with incredible stealth.
The Winnti group, active since 2012, has used an arsenal of malware tools to infiltrate organizations globally. The most recent campaign is marked by the use of sophisticated techniques, such as exploiting vulnerabilities in enterprise resource planning (ERP) systems to deploy web shells and gain access for further malicious activities. The evolution of the Winnti malware, now with advanced features like better obfuscation, updated encryption, and enhanced evasion capabilities, suggests that this campaign may just be the latest in a long line of ever-evolving threats.
RevivalStone Campaign
The China-linked hacking group Winnti has launched a new cyber campaign called RevivalStone, targeting Japanese companies in key industries like manufacturing, materials, and energy. The attack is linked to the APT41 group, which has long been associated with espionage and supply chain disruptions. Winnti’s modus operandi typically involves highly stealthy malware deployments that evade detection and provide persistent access to compromised networks.
The malware used in this campaign includes advanced tools like DEATHLOTUS (a backdoor), UNAPIMON (a defense evasion utility), and WINNKIT (a rootkit). The attackers used an SQL injection vulnerability to deploy web shells such as China Chopper and Behinder, followed by the delivery of updated Winnti malware versions. In addition to targeting individual companies, the group used a shared account to infect a managed service provider, thereby expanding their reach.
LAC researchers uncovered references to new components like TreadStone and StoneV5, with the latter suggesting that the Winnti malware could be evolving into a version 5.0. As the Winnti malware toolkit continues to evolve, its impact is expected to grow, posing a significant threat to global industries.
What Undercode Says:
The Winnti group, also known by multiple aliases like APT41 and Earth Freybug, has a well-established reputation as a threat actor tied to China’s state-sponsored cyber activities. With their latest campaign, RevivalStone, we witness an intensification of their efforts to target high-value sectors like manufacturing, materials, and energy. While these industries may seem disparate, they share one crucial element—critical infrastructure that underpins not just national economies but global supply chains. The focus on these sectors reflects China’s long-term strategy to secure influence over important technological and industrial resources.
Looking deeper into the technical aspects of the RevivalStone campaign, the sophistication of the malware used shows how well-resourced and methodical Winnti is. The group’s ability to develop malware like WINNKIT, a rootkit that provides stealthy, kernel-level access, demonstrates their commitment to maintaining persistent access to compromised networks. Such capabilities are not only useful for espionage but also for cyber warfare scenarios where the ability to poison supply chains and disrupt operations can have wide-reaching consequences.
One of the most striking features of the RevivalStone attack is its exploitation of ERP systems through SQL injection vulnerabilities. This speaks to the growing trend of cybercriminals targeting enterprise-level software systems, as they are increasingly being used as entry points for widespread intrusions. By leveraging known weaknesses in commonly used software, attackers can infiltrate an entire network with minimal effort, leaving the affected company unaware until significant damage has been done.
The use of web shells such as China Chopper and Behinder further highlights the operational sophistication of the attackers. These web shells enable the threat group to perform reconnaissance, harvest credentials, and move laterally within compromised environments. This level of granularity in attack allows the group to deeply entrench itself in a network and maintain a low profile until its objectives are met.
Another critical point to consider is the broader context of APT41’s operations. Winnti is not a lone wolf actor; rather, it is part of a broader, state-sponsored espionage campaign. The fact that these attacks are aligned with China’s strategic interests adds a layer of complexity to the security landscape, as such actors are motivated by national priorities, which often include economic espionage and the theft of intellectual property. In this regard, the RevivalStone campaign can be seen as part of a much larger geopolitical struggle for control over critical industries and technologies.
One must also consider the evolving nature of the Winnti malware itself. The of TreadStone and StoneV5 components suggests that the malware is undergoing significant development. TreadStone, in particular, could be a controller for the Winnti malware, further enhancing its stealth and persistence. As malware development continues to evolve, the risks posed to organizations increase exponentially. The added obfuscation and encryption capabilities make detection and mitigation more difficult, putting companies in a difficult position to combat the threat effectively.
As organizations in the Asia-Pacific region and beyond face increasingly sophisticated attacks like RevivalStone, it is essential to adapt defense strategies. Cyber hygiene practices such as timely patching of software, particularly for ERP systems, and continuous monitoring of network traffic for anomalies should be standard practices. Collaboration with cybersecurity firms and industry peers can also help in sharing threat intelligence and staying ahead of evolving threats.
In conclusion, the RevivalStone campaign is a stark reminder of the high stakes in the world of cyber espionage. As nation-state actors like Winnti continue to develop increasingly sophisticated techniques and malware, the need for robust cybersecurity defenses is more urgent than ever. Companies must take proactive steps to understand these threats and protect their critical assets from espionage and potential supply chain disruptions.
References:
Reported By: https://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html
https://www.reddit.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
