ETDA ThaiCERT
Report
Search
Home > List all groups > Wicked Spider, APT 22

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Wicked Spider, APT 22

NamesWicked Spider (CrowdStrike)
APT 22 (Mandiant)
CountryChina China
MotivationFinancial crime
First seen2018
Description(CrowdStrike) Winnti Group, Blackfly, Wicked Panda refers to the targeted intrusion operations of the actor publicly known as “Winnti,” whereas Wicked Spider represents this group’s financially-motivated criminal activity. Originally, Wicked Spider was observed exploiting a number of gaming companies and stealing code-signing certificates for use in other operations associated with the malware known as Winnti. Now, Winnti is commonly associated with the interests of the government of the People’s Republic of China (PRC).

Wicked Spider has been observed targeting technology companies in Germany, Indonesia, the Russian Federation, South Korea, Sweden, Thailand, Turkey, the United States, and elsewhere. Notably, Wicked Spider has often targeted gaming companies for their certificates, which can be used in future PRC-based operations to sign malware. Ongoing analysis is still evaluating how these certificates are used — whether Wicked Spider hands the certificates off to other adversaries for use in future campaigns or stockpiles them for its own use.
ObservedSectors: Technology.
Countries: Germany, Indonesia, Russia, South Korea, Sweden, Thailand, Turkey, USA and elsewhere.
Tools usedDoublePulsar, EternalBlue, Gh0st RAT, PlugX.
Information<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/>

Last change to this card: 15 April 2020

Download this actor card in PDF or JSON format

Previous: Whitefly, Mofang
Next: Wild Neutron, Butterfly, Sphinx Moth

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key