A new PHP backdoor named ‘Glutton’ observed in a cybercampaign believed to have been orchestrated by the notorious Chinese hacking group Winnti (APT41). The malware is reportedly being used not only in attacks against organizations in China and the United States but also as part of an unusual ‘black eats black’ strategy targeting other cybercriminals.
According to Chinese cybersecurity firm QAX XLab that first spotted the backdoor in April 2024, the tool has been active since December 2023. While sophisticated, Glutton has some issues in its stealth and encryption mechanisms, which may indicate that it is still under development.
Winnti has been a major player in cyberespionage and financial theft since 2012. Known for targeting sectors such as gaming, pharmaceuticals, telecommunications, and government organizations, the group has recently been observed deploying the Glutton backdoor in attacks on IT service providers, social security agencies, and web app developers.
Glutton is described as an ELF-based modular backdoor, with architecture broken into four core components responsible for detecting the target environment, installing the backdoor, obfuscation, and executing the backdoor and managing communication with the command-and-control (C2) server. The components can function independently or in sequence, XLab noted.
The malware leverages in-memory execution to avoid leaving traces, disguising itself as a legitimate php-fpm process. It injects malicious code into PHP files used by popular frameworks like ThinkPHP, Yii, Laravel, and Dedecms.
Glutton modifies critical system files, such as /etc/init.d/network, to ensure persistence across system reboots. It also targets the Baota web panel, a widely used server management tool in China, to maintain a foothold, exfiltrate credentials, and steal sensitive data like MySQL configurations. The backdoor supports a wide array of 22 commands issued by its C2 server.
Winnti has also been observed deploying Glutton against cybercriminals. Trojanized software packages containing Glutton have appeared on dark web forums like Timibbs, masquerading as gambling systems, fake cryptocurrency exchanges, and click-farming platforms.
Once installed on a cybercriminal’s system, Glutton deploys tools like HackBrowserData to extract sensitive information, including passwords, cookies, credit card details, and browsing histories from web browsers.