Glutton: Analyzing APT41’s Latest Weapon in its Cyber Espionage Arsenal
The Chinese hacking group Winnti, also known as APT41, has been employing a new PHP backdoor named Glutton to target organizations in China and the United States, as well as other cybercriminals. The discovery of this malicious tool was made by XLab, the research arm of the Chinese cybersecurity firm QAX.
According to XLab, Glutton was first identified in April 2024, though evidence suggests its activity dates back to December 2023. While the backdoor boasts extensive functionality, researchers have noted deficiencies in its stealth and encryption capabilities, indicating that it remains in the early stages of development.
Glutton is a modular ELF-based backdoor, designed for flexible adaptation to its intended targets. Its core components include modules for loading, installation, obfuscation, and operational execution, enabling Winnti to conduct highly customized attacks while leaving minimal traces within the system.
The backdoor operates by leveraging PHP processes, such as PHP-FPM, allowing malicious code execution without the need to create files on disk. Additionally, Glutton modifies system files to maintain persistence across system reboots and specifically targets popular PHP frameworks, including ThinkPHP, Yii, Laravel, and Dedecms.
Notably, Winnti employs Glutton not only to attack corporations but also to infiltrate systems belonging to rival hackers. For instance, the malicious code is embedded in software sold on underground cybercriminal forums, such as Timibbs, masquerading as gaming platforms, cryptocurrency exchanges, or automated bot services.
Upon infection, Glutton deploys the HackBrowserData tool to exfiltrate sensitive browser data, including passwords, cookies, credit card information, and other confidential details. XLab suggests this tactic aligns with a “black-on-black” strategy, wherein vulnerabilities of competing cybercriminals are actively exploited for gain.
Despite Glutton’s sustained activity over the past year, its initial access vector remains unknown. Researchers have shared indicators of compromise to aid organizations in fortifying their defenses against this emerging threat.
