Security researchers at QAX XLab have uncovered a sophisticated modular PHP backdoor named Glutton, attributed to the Advanced Persistent Threat (APT) group Winnti (also known as APT41). This newly identified malware demonstrates advanced capabilities in targeting organizations across China and the United States, while employing an unusual strategy of compromising other cybercriminal operations.
Technical Analysis: Glutton’s Advanced Architecture and Capabilities
The Glutton backdoor implements a complex modular architecture comprising four essential components. The task_loader manages environmental checks, while the init_task handles backdoor installation procedures. Additionally, the client_loader performs code obfuscation, and the client_task maintains command-and-control (C2) communications and overall backdoor management. This modular design provides attackers with exceptional flexibility in conducting targeted operations.
Sophisticated Evasion Techniques and Deployment Methods
Glutton masquerades as legitimate php-fpm processes and executes fileless operations entirely in memory. The malware specifically targets popular PHP frameworks, including ThinkPHP, Yii, Laravel, and Dedecms, injecting malicious code into their core files. This approach significantly complicates detection and removal efforts by traditional security solutions.
Strategic Persistence Mechanisms
To maintain long-term access, Glutton employs persistence techniques through the modification of critical system files, particularly targeting /etc/init.d/network. In attacks focused on Chinese entities, the malware specifically compromises the widely-used Baota control panel, enabling the theft of administrative credentials and system configurations.
Innovative Criminal-on-Criminal Targeting Strategy
Perhaps the most intriguing aspect of Glutton’s deployment is Winnti’s strategy of targeting other cybercriminal operations. The group has been observed injecting the backdoor into malicious packages traded on underground forums, including fake cryptocurrency exchanges and gaming platforms. Once deployed, Glutton leverages the HackBrowserData tool to extract sensitive information from compromised systems, including credentials, cookies, and payment data.
Who Is at Risk
Organizations running PHP-based web applications using ThinkPHP, Yii, Laravel, or Dedecms frameworks face the highest exposure, particularly in China and the United States. Hosting providers and shared hosting environments are especially vulnerable, as a single compromised PHP-FPM process can affect multiple tenants. Ironically, other threat actors who download and deploy tools from underground forums are also directly targeted by this supply-chain-style attack.
Detecting and Responding to Glutton PHP Backdoor Infections
- Audit all PHP-FPM processes for anomalous behavior: compare running process names against known legitimate php-fpm binaries and flag any that appear duplicated or misnamed.
- Check the integrity of
/etc/init.d/networkand other init scripts against known-good baselines — Glutton modifies these for persistence. - Scan all installed PHP framework core files (ThinkPHP, Laravel, Yii, Dedecms) for unauthorized modifications using a file integrity monitoring tool.
- Restrict outbound connections from web servers using egress filtering to block C2 communications to unknown external hosts.
- If using the Baota (BT) control panel, change all administrative credentials immediately and enable two-factor authentication.
First detected in December 2023 and fully analyzed by April 2024, Glutton represents a significant evolution in PHP backdoor capabilities. The malware was attributed by QAX XLab researchers based on code similarities and infrastructure overlaps with previously documented Winnti tooling.
