VERY IMPORTANT

Recently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control (C& and C) communications of their seemingly new backdoor (detected by Trend Micro as BKDR64_WINNTI.ONM). Our research also showed that the group still uses some of the infamous PlugX malware variants—a staple in Winntis arsenal—to handle targeted attack operations via the GitHub account we identified.