Wicked Spider, APT 22
Description
(CrowdStrike) Winnti Group, Wicked Panda refers to the targeted intrusion operations of the actor publicly known as “Winnti,” whereas Wicked Spider represents this group’s financially-motivated criminal activity. Originally, Wicked Spider was observed exploiting a number of gaming companies and stealing code-signing certificates for use in other operations associated with the malware known as Winnti. Now, Winnti is commonly associated with the interests of the government of the People’s Republic of China (PRC).
Wicked Spider has been observed targeting technology companies in Germany, Indonesia, the Russian Federation, South Korea, Sweden, Thailand, Turkey, the United States, and elsewhere. Notably, Wicked Spider has often targeted gaming companies for their certificates, which can be used in future PRC-based operations to sign malware. Ongoing analysis is still evaluating how these certificates are used — whether Wicked Spider hands the certificates off to other adversaries for use in future campaigns or stockpiles them for its own use.
Names
| Name | Name-Giver |
|---|---|
| Wicked Spider | CrowdStrike |
| APT 22 | Mandiant |
| Bronze Export | SecureWorks |
| Bronze Olive | SecureWorks |
Country
Motivation
- Financial crime
First Seen
2018
Observed Sectors
Observed Countries
Tools
Information
Other Information
Uuid
2eca8267-0436-448f-aa63-97e70d08ce3e
Last Card Change
2024-03-13