Active since at least 2007 and also tracked as APT41, Barium, Blackfly, Double Dragon, Wicked Panda, and Wicked Spider, the Winnti Group is believed to be formed of multiple subgroups engaging in both cyberespionage and financially motivated operations.

As part of a campaign ongoing since early August, the threat actor has been deploying various payloads against government entities in Sri Lanka, including the KeyPlug malware and a new backdoor called DBoxAgent. This appears to be the first time Winnti has targeted Sri Lanka.

The timing of the campaign – the attack falls in line with a geopolitical event involving China and Sri Lanka – and observed tactics, techniques, and procedures (TTPs) suggest that the Winnti group was behind the operation, Malwarebytes says.