Winnti Hackers Deploy ‘Glutton’ PHP Backdoor to Spy on Rival Threat Actors

QAX’s XLab Uncovers Winnti Hacking Group’s New ‘Glutton’ PHP Backdoor

December 15, 2024. The cybersecurity experts at QAX’s XLab have uncovered a new PHP backdoor, dubbed ‘Glutton,’ that is being leveraged by the notorious Winnti hacking group in attacks targeting organizations in China and the U.S. and other cybercriminal groups.

According to QAX’s XLab, the Glutton backdoor was first discovered in late April 2024, but evidence of its deployment, along with other related files, dates back to December 2023. The Winnti group, a Chinese advanced persistent threat (APT) actor known for targeting the gaming, software, and telecommunications industries, has been using this new malware to infiltrate and maintain access to victim systems.

“The Winnti group’s use of this new Glutton backdoor demonstrates their continued innovation and ability to adapt their tactics to evade detection,” said XLab. “By targeting both organizations and other threat actors, the group is showcasing their broad reach and willingness to go after a diverse range of victims.”

Glutton is a PHP-based backdoor that provides the Winnti group with a wide range of capabilities, including the ability to execute commands, upload and download files, and maintain persistent access to compromised systems. The malware is designed to blend in with legitimate web server processes, making it challenging for security teams to detect and remove.

“The discovery of Glutton highlights the ongoing threat posed by advanced hacking groups like Winnti,” added XLab. “As cybercriminals continue to evolve their tools and techniques, it’s crucial for organizations to stay vigilant and implement robust security measures to protect against these types of sophisticated attacks.”

Glutton is an ELF-based backdoor that provides the Winnti hackers with a powerful and stealthy tool for tailored attacks. Its core components include ‘task_loader’ to determine the environment, ‘init_task’ to install the backdoor, ‘client_loader’ to introduce obfuscation, and ‘client_task’ to operate the PHP backdoor and establish communication.

“Winnti’s use of Glutton shows their determination to expand their reach and target even other cybercriminal groups,” said Lead Researcher at QAX’s XLab. “This modular backdoor gives them the flexibility to activate specific components for each attack, making it extremely difficult to detect and defend against.”

The Glutton backdoor allows the Winnti hackers to maintain persistent access to compromised systems, gather intelligence, and potentially pivot to other targets within the victim’s network. Its advanced obfuscation techniques and ability to tailor its functionality make it a formidable threat in the hands of the skilled Winnti group.

“As the cybersecurity landscape continues to evolve, organizations must stay vigilant and implement robust security measures to protect against sophisticated threats like Glutton,” added XLab. “By understanding the tactics and tools used by groups like Winnti, we can better prepare and defend against these persistent and dangerous adversaries.”

QAX’s XLab urges organizations, particularly those in the gaming, software, and telecommunications sectors, to review their security posture and implement appropriate countermeasures to mitigate the risk of Winnti group and Glutton backdoor attacks.

About QAX’s XLab

QAX’s XLab is a leading cybersecurity research and analysis team dedicated to uncovering and investigating the latest threats and attack vectors used by sophisticated hacking groups. The team’s in-depth research and threat intelligence help organizations avoid emerging cyber risks and strengthen their overall security posture.