Security News > 2022 > August > Winnti hackers split Cobalt Strike into 154 pieces to evade detection
The Chinese Winnti hacking group, also known as 'APT41' or 'Wicked Spider,' targeted at least 80 organizations last year and successfully breached the networks of at least thirteen.
One of Wintti's unique deployment methods for the Cobalt Strike beacons involved obfuscating the payload on the host to evade detection by software.
In some cases, it took 154 repetitions of this action to write the payload onto a file, but in others, Winnti increased the chunk size to 1,024 characters to reduce the iterations.
Another unique approach concerning Cobalt Strike deployment by Winnti is using listeners with over 106 custom SSL certificates, mimicking Microsoft, Facebook, and Cloudflare.
Group-IB's report helps fill in the gaps, outlining the hacking group's tactics, techniques, and procedures and confirming that Winnti manages to remain elusive.
In March 2022, Mandiant reported that Winnti breached government networks in six U.S. states using Cisco and Citrix exploits.