The Winnti group is a Chinese-linked cybercriminal group that is most well-known for its 2011 attacks against online video game producers.
These attacks were committed with the intent of stealing digital certificates used to sign software. With these compromised certificates in hand, the group would then use them to attack other video game companies to steal their certificates as well.
In addition to a company's certificates, the source code for their video games was targeted as well, possibly to search for vulnerabilities within the game to exploit for monetary gain. One of the targeted companies described how the attackers were trying to acquire in-game currency illegally, which they could then try to convert into real-currency. The Winnti Group was also able to successfully distribute Trojans to players of a popular online game by deploying malware on the game's official update server.
The latest update to the Winnti group's backdoor uses GitHub to receive directives as part of the Command and Control (C&C) chain. To find out where it needs to connect to next, the malware will access an HTML page stored within a GitHub repo. This page contains an encrypted string that once decrypted, will show the IP address and port number that it will receive commands from.
This update helps the malware mask its network traffic, as accessing GitHub is unlikely to raise many red flags within a corporate environment.