A sophisticated cyber espionage campaign dubbed RevivalStone, attributed to the China-linked threat actor Winnti, has targeted Japanese manufacturing, materials, and energy companies in March 2024. Japanese cybersecurity firm LAC identified the operation, which overlaps with activities of Earth Freybug, a subset of the APT41 group.

Attack Methodology:
– Exploited SQL injection vulnerabilities in ERP systems
– Deployed web shells (China Chopper and Behinder)
– Utilized stolen credentials for lateral movement
– Compromised MSP infrastructure to reach additional targets

Key Malware Components:
1. DEATHLOTUS: CGI backdoor for file creation and command execution
2. PRIVATELOG: Loader for Winnti RAT
3. CUNNINGPIGEON: Backdoor using Microsoft Graph API
4. WINDJAMMER: Network-intercepting rootkit
5. SHADOWGAZE: IIS web server backdoor

The campaign features an updated version of Winnti malware (possibly v5.0) with enhanced capabilities:
– Advanced obfuscation techniques
– Updated encryption algorithms
– Improved security product evasion

The threat actor compromised multiple organizations through a shared MSP account, demonstrating sophisticated supply chain attack capabilities. References to TreadStone and StoneV5 were discovered, potentially indicating connections to the recent I-Soon leak.

Concurrent to this campaign, researchers identified SSHDInjector, a Linux-based attack suite linked to another Chinese group, Daggerfly, targeting network appliances for persistent access and data exfiltration since November 2024.