The Chinese state-sponsored hacking group Winnti (APT41) has developed a new PHP backdoor, Glutton, to attack organizations in China and the U.S., as well as other cybercriminals. First detected by QAX’s XLab in April 2024, the malware dates back to December 2023 and is still in early development, showing vulnerabilities in stealth and encryption.
Glutton is a modular ELF-based backdoor with components enabling stealthy, tailored attacks. It uses in-memory execution to evade detection, modifies system files for persistence, and injects malicious code into popular PHP frameworks like ThinkPHP, Yii, Laravel, and Dedecms. It also targets the Baota web panel, a tool commonly managing sensitive data in China.
With 22 supported commands, Glutton performs file manipulation, system scans, command execution, and metadata exfiltration. Interestingly, it has also been deployed against rival hackers, trojanizing software packages sold on cybercrime forums to steal browser-stored data such as passwords and credit card details through tools like HackBrowserData.
XLab suggests Winnti's “black eats black” strategy allows the group to exploit cybercriminals’ own activities to extract valuable data. The campaign, ongoing for over a year, highlights the growing sophistication and dual-target focus of Winnti's operations.
Read more...