The Glutton backdoor, a modular PHP-based malware framework, has been observed targeting systems in China, the U.S., Cambodia, Pakistan, and South Africa. The malware, linked with moderate confidence to the Chinese nation-state group Winnti, showcases unique behavior by targeting both traditional victims and cybercrime operators themselves. By embedding malicious code into pre-compromised business systems and cybercrime tools, Glutton leverages a "no honor among thieves" approach to exploit the cybercrime ecosystem.
Glutton is a highly modular malware framework composed of several key components, including task_loader, init_task, client_loader, client_task, and fetch_task. These modules can operate independently or sequentially, enabling the attackers to execute a comprehensive fileless attack framework. At its core, Glutton infects PHP files with malicious code, embedding the l0ader_shell payload, which is particularly effective against popular PHP frameworks such as Baota (BT), ThinkPHP, Yii, and Laravel. The framework also drops ELF-based Winnti backdoors that masquerade as /lib/php-fpm to blend into legitimate processes and establish persistence on compromised systems.
An unconventional but notable aspect of Glutton’s attack chain is its integration into pre-compromised business systems sold on cybercrime forums. The attackers embed the l0ader_shell backdoor into these systems, poisoning tools used by cybercriminals. Additionally, Glutton leverages the HackBrowserData tool to steal sensitive browser data such as passwords, cookies, and browsing history, particularly targeting systems used by cybercrime operators. This recursive attack chain allows the attackers to exploit both traditional victims and other cybercriminals, turning their operations into an unwitting resource.