{"id":46486,"date":"2022-05-04T20:07:56","date_gmt":"2022-05-04T20:07:56","guid":{"rendered":"https:\/\/www.darkreading.com\/attacks-breaches\/china-winnti-apt-trade-secrets-us"},"modified":"2022-05-04T20:07:56","modified_gmt":"2022-05-04T20:07:56","slug":"china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/","title":{"rendered":"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt005142148f5f384a\/6272d33bfddaba11fb8949f6\/CuckooBee-VivienKent-Alamy.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>China&#8217;s Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.<\/p>\n<p>That&#8217;s according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.<\/p>\n<p>In addition, the attackers have harvested details about a target organization&#8217;s network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports <a href=\"https:\/\/www.cybereason.com\/blog\/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation\" target=\"_blank\" rel=\"noopener\">summarizing its investigation<\/a> this week.<\/p>\n<p>The security vendor said it has shared its findings with the FBI, which back in 2019 had warned of China-based cyberthreat groups engaged in the <a href=\"https:\/\/www.fbi.gov\/file-repository\/china-exec-summary-risk-to-corporate-america-2019.pdf\/view#:~:text=The%20FBI%20produced%20several%20resources,protect%20themselves%20from%20counterintelligence%20threats.\" target=\"_blank\" rel=\"noopener\">massive theft of intellectual property<\/a> from US firms to support the country&#8217;s &#8220;Made in China 2025&#8221; modernization initiative.<\/p>\n<p>&#8220;Global manufacturers are targets of Chinese state-sponsored threat groups,&#8221; says Assaf Dahan, senior director and head of threat research at Cybereason. &#8220;Our research highlights the importance of protecting Internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping, and lateral movement attempts.&#8221;<\/p>\n<p><strong>Winnti Stung by CuckooBees<\/strong><br \/>Winnti (aka APT41, Wicked Panda, or Barium) is a threat group that has been active since at least 2010. The group is believed to be working on behalf of, or with the support of, the Chinese government. Some security vendors have described Winnti as an umbrella group <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/report-china-s-intelligence-apparatus-linked-to-previously-unconnected-threat-groups\" target=\"_blank\" rel=\"noopener\">comprised of multiple threat actors<\/a> operating under the control of China&#8217;s state intelligence agencies. The group has been linked to attacks in 2010 on scores of US firms (including Google and Yahoo). And in 2020, the US government <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/indictments-unlikely-to-deter-china-s-apt41-activity\" target=\"_blank\" rel=\"noopener\">indicted five members<\/a> of the threat group, although the action did little to stop its activities.<\/p>\n<p>Researchers from Cybereason stumbled upon the threat group&#8217;s latest campaign when investigating a 2021 intrusion at a $5 billion global manufacturing company with operations in Asia, North America, and Europe, Dahan says, and has been gathering evidence on the activity since then.<\/p>\n<p>The researchers dubbed the investigation &#8220;Operation CuckooBees,&#8221; because cuckoo bees are very evasive, and the Winnti group is one of the most elusive hacking groups, Dahan explains.<\/p>\n<p>&#8220;Operation CuckooBees was a 12-month investigation focused on Winnti Group&#8217;s global espionage campaign against defense, aerospace, energy, biotech, and pharmaceutical manufacturers,&#8221; Dahan says.<\/p>\n<p><strong>New Tools, Rare Abuse of Windows CLFS Mechanism<\/strong><br \/>Cybereason&#8217;s investigation also revealed fresh aspects of the group&#8217;s technical approach, including the development of new malware tools \u2014 or new versions of its old malware \u2014 and sophisticated new techniques for payload delivery and evasion. <\/p>\n<p>The new tools include one called DeployLog, made for deploying the threat group&#8217;s namesake Winnti kernel-level rootkit. New versions of tools it has used in the past include an initial payload called Spyder Loader; a privilege-escalation tool called PrivateLog; and a tool called StashLog for storing payloads in a hard-to-crack Windows function.<\/p>\n<p>One notable aspect of Winnti group&#8217;s new campaign, according to Cybereason, is the threat actor&#8217;s use of a Windows high-performance logging feature called Common Log File System (CLFS) to hide malicious payloads.<\/p>\n<p>&#8220;The CLFS mechanism is rather obscure and is still undocumented by Microsoft,&#8221; Dahan notes. &#8220;The attackers used the CLFS mechanism to hide their payloads in a place most security products or practitioners wouldn\u2019t look for.&#8221; He adds that the ability to abuse the mechanism points to the level of sophistication and resources that the threat actors have at their disposal.<\/p>\n<p>&#8220;It requires a lot of effort to reverse-engineer this mechanism to abuse it for nefarious purposes,&#8221; he says.<\/p>\n<p>Dahan says Cybereason has not observed any other threat group abuse the CLFS mechanism to stash payloads in the same manner.<\/p>\n<p><strong>The Evolving Winnti Attack Chain<\/strong><br \/>In its latest campaign, Winnti group threat actors targeted vulnerable Internet-facing servers as a vector for gaining an initial foothold on a target network. In some instances, the attackers gained initial entry on systems by exploiting known vulnerabilities in enterprise resource planning (ERP) platforms.<\/p>\n<p>&#8220;To the best of our knowledge, the vulnerabilities that were exploited in the observed attacks have fixes that were issued by the vendor,&#8221; Dahan says.<\/p>\n<p>Once in, Cybereason observed the attackers adopting what it described as a &#8220;house-of-cards&#8221; approach to deploying its malicious payloads, where each component of the attack chain depended on the previous one and the other components to function properly. This made it difficult to analyze each malware component in the attack chain separately.<\/p>\n<p>&#8220;If for some reason, one component is missing or gets detected \u2013 the entire thing would fall apart,&#8221; Dahan says.<\/p>\n<p>The approach also added another layer of protection and stealth because each of the components in the attack chain is not entirely malicious on its own, and so would be unlikely to be flagged as malicious by security products, Dahan says. To become malicious, the components in the attack chain must be assembled in a certain order.<\/p>\n<p>&#8220;The \u2018house of cards\u2019 approach makes it difficult for security researchers to analyze the payload and the flow of the attack,&#8221; he explains. &#8220;You really have to see the entire attack and collect all the payloads and know how to run them in the exact order in which they were designed to run.&#8221;<\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/china-winnti-apt-trade-secrets-us\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Operation CuckooBees uncovered the state-sponsored group&#8217;s sophisticated new tactics in a years-long campaign that hit more than 30 tech and manufacturing companies.Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/china-winnti-apt-trade-secrets-us\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-46486","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-04T20:07:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt005142148f5f384a\/6272d33bfddaba11fb8949f6\/CuckooBee-VivienKent-Alamy.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack\",\"datePublished\":\"2022-05-04T20:07:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/\"},\"wordCount\":917,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt005142148f5f384a\\\/6272d33bfddaba11fb8949f6\\\/CuckooBee-VivienKent-Alamy.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/\",\"name\":\"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt005142148f5f384a\\\/6272d33bfddaba11fb8949f6\\\/CuckooBee-VivienKent-Alamy.jpg\",\"datePublished\":\"2022-05-04T20:07:56+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt005142148f5f384a\\\/6272d33bfddaba11fb8949f6\\\/CuckooBee-VivienKent-Alamy.jpg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt005142148f5f384a\\\/6272d33bfddaba11fb8949f6\\\/CuckooBee-VivienKent-Alamy.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/","og_locale":"en_US","og_type":"article","og_title":"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-05-04T20:07:56+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt005142148f5f384a\/6272d33bfddaba11fb8949f6\/CuckooBee-VivienKent-Alamy.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack","datePublished":"2022-05-04T20:07:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/"},"wordCount":917,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt005142148f5f384a\/6272d33bfddaba11fb8949f6\/CuckooBee-VivienKent-Alamy.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/","url":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/","name":"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt005142148f5f384a\/6272d33bfddaba11fb8949f6\/CuckooBee-VivienKent-Alamy.jpg","datePublished":"2022-05-04T20:07:56+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt005142148f5f384a\/6272d33bfddaba11fb8949f6\/CuckooBee-VivienKent-Alamy.jpg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt005142148f5f384a\/6272d33bfddaba11fb8949f6\/CuckooBee-VivienKent-Alamy.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/china-backed-winnti-apt-siphons-reams-of-us-trade-secrets-in-sprawling-cyber-espionage-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=46486"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46486\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=46486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=46486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=46486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}