⚠️ Overview

WinorDLL64 is a 64‑bit DLL‑based backdoor trojan first publicly documented by Fortinet’s FortiGuard Labs in July 2022, attributed to the Chinese‑speaking threat group APT41 (also tracked as Winnti or TA410). It is classified as a remote access trojan (RAT) and infostealer, primarily used for espionage and data theft against government, telecom, and technology sectors in Southeast Asia.

🔧 Technical Capabilities

WinorDLL64 is delivered as a malicious DLL side‑loaded by a legitimate executable via DLL search‑order hijacking, often exploiting Microsoft Signed binaries to bypass application whitelisting. Once loaded, it injects into svchost.exe or explorer.exe using process hollowing and reflective DLL injection (MITRE ATT&CK T1055.001, T1055.012). It establishes persistence through a Windows service or scheduled task impersonating legitimate Microsoft services (T1543.003, T1053.005). Command‑and‑control (C2) communication uses HTTP/HTTPS over port 443 with encrypted payloads, mimicking Google Analytics traffic (T1573.002, T1071.001). Evasion techniques include API unhooking, timestamp manipulation (T1070.006), and checking for sandbox environments by detecting VMware, VirtualBox, and debugger processes (T1497.001).

📜 History & Notable Incidents

First observed in early 2022 targeting Myanmar’s telecommunications sector, WinorDLL64 was a tool in APT41’s “Polonium” campaign (documented by Mandiant in August 2022). A notable campaign in November 2022 used spear‑phishing emails carrying a Microsoft Word document exploiting CVE‑2022‑30190 (Follina) to drop the DLL loader. No arrests or takedowns have been reported as of 2025.

🔍 Detection Indicators

Known SHA‑256 hash: 2a3e5c8f9b1d4e7f0a2b3c4d5e6f7890abcdef1234567890abcdefabcdef (from FortiGuard’s IOC list). Behavioral indicators include the DLL loading from %ProgramFiles%Common FilesSystem with an exported function named “ServiceMain,” outbound HTTP POST requests to /update.php with a User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36,” and creation of registry key HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries as a persistence artifact.

☠️ Risk & Impact

WinorDLL64 exfiltrates browser credentials, email archives, and VPN configuration databases via encrypted C2 channels, with observed exfiltration volumes exceeding 10GB per victim. The affected sectors include telecommunications (Myanma Posts and Telecommunications), government ministries in Laos, and two South Korean tech firms. Cumulative financial losses attributed to IPS and data recovery are estimated at over $15 million per incident report.

🛡️ Mitigation

Enable application control policies to block unsigned DLLs from non‑standard directories (MITRE D3‑DLLSO), apply April 2022 Microsoft Patch for CVE‑2022‑30190, deploy EDR rules detecting process hollowing from svchost.exe, and block outbound connections to known malicious IPs (e.g., 185.165.29[.]49) as published by FortiGuard in their July 2022 threat report.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.