Cyber Incident Victim: Huawei Technologies Co., Ltd.
Date:
Jan 2011
Location:
China
Summary
The Winnti Group, a state-backed threat actor, deployed new PortReuse malware variants and updated ShadowPad malware to compromise servers of a major Asian mobile hardware and software manufacturer. PortReuse functioned as a passive network implant, injecting into legitimate processes like IIS to await activation via magic packets, enabling stealthy command execution without traditional C2 infrastructure. The malware targeted critical ports including HTTP, HTTPS, RDP, and WinRM. Researchers identified eight infected servers within the victim's infrastructure, indicating reconnaissance for a potential supply-chain attack leveraging the manufacturer's trusted software distribution channels. The incident mirrored prior Winnti tactics involving compromised update mechanisms to propagate malware at scale.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2019, ESET researchers documented an updated cyberespionage campaign by the Winnti Group (a Chinese state-aligned threat actor tracked under multiple aliases including APT41 and BARIUM) targeting a high-profile Asian mobile hardware and software manufacturer. The attackers deployed a novel modular backdoor named PortReuse, designed to inject itself into processes already listening on network ports (53/DNS, 80/HTTP, 443/HTTPS, 3389/RDP, 5985/WinRM) and await activation via a magic packet in incoming traffic. This passive network implant avoided interference with legitimate communications unless triggered, forwarding unremarkable traffic to legitimate applications. PortReuse variants employed multiple delivery methods—embedded within .NET applications, VB scripts executing shellcode via .NET objects, or executables with direct shellcode entry points—and operated without traditional C2 servers by leveraging the NetAgent listener within compromised processes. The malware parsed traffic using two primary techniques: hooking low-level receive functions (WSARecv, NtDeviceIoControlFile) or registering malicious URL handlers via HttpAddUrl on IIS servers. One port-agnostic variant triggered activation only when source ports were below 22.
ESET identified the campaign through forensic analysis of a PortReuse variant injecting into Microsoft IIS servers, which inspected HTTP GET request headers (Server, Content-Length) for activation signatures. Researchers collaborated with Censys to conduct an internet-wide scan, revealing eight infected servers linked to a single Asian organization—a major mobile manufacturer—indicating preparatory activity for a potential supply-chain attack. The victim organization was notified, and joint remediation efforts commenced. Concurrently, Winnti Group’s ShadowPad malware received updates including randomized module IDs and enhanced obfuscation, reflecting ongoing toolset refinement. Historical context traces the group’s activity to at least 2011, with prior compromises including gaming sector supply-chain attacks distributing malware via game update servers. The incident underscored Winnti Group’s persistent focus on high-value industrial targets and evolution toward stealthier, network-based persistence mechanisms.