While groups like Winnti can be highly sophisticated in their attack techniques, the wide range of tools and techniques they use can offer multiple opportunities for detection. Companies’ primary goal should be to diversify their security efforts to cover a wide range of possibilities. For protecting IP and detecting unauthorized file access, consider using canary tokens, which are files that appear to contain lucrative data (such as passwords.xlsx or patentdata2022.pdf) that send an alert when they are opened. Companies should also consider analyzing business use-case for file sharing sites, such as Dropbox and Google Drive, and limit access to those sites where possible. Some web proxies can even allow users to request one-time approval for accessing blocked sites, enabling security personnel to review the files being requested. For detecting new or obscure executables, companies can include hashes of executables in process logs and perform long-tail analysis, looking for hash/file name combinations that appear infrequently. This is best paired with an effective software management process to reduce the likelihood that legitimate processes match across multiple devices.

https://thehackernews.com/2022/10/chinese-spyder-loader-malware-spotted.html

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong

https://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation