PHP backdoor looks to be work of Chinese-linked APT group | CyberScoop<\/title> <meta name=\"description\" content=\"The Glutton PHP backdoor, potentially linked to the Winnti APT group, was discovered by researchers at QiAnXin's XLab.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/glutton-php-backdoor-winnti-apt-41-china\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"PHP backdoor looks to be work of Chinese-linked APT group\"> <meta property=\"og:description\" content=\"The Glutton PHP backdoor, potentially linked to the Winnti APT group, was discovered by researchers at QiAnXin's XLab.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/glutton-php-backdoor-winnti-apt-41-china\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-12-16T19:14:58+00:00\"> <meta property=\"article:modified_time\" content=\"2024-12-16T19:15:00+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1278\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730999764g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82916\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82916\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fglutton-php-backdoor-winnti-apt-41-china%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fglutton-php-backdoor-winnti-apt-41-china%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82916 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/glutton-php-backdoor-winnti-apt-41-china\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.229016786571\">\n<div class=\"single-article__header-content\" readability=\"33.948717948718\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/glutton-php-backdoor-winnti-apt-41-china\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> Known as Glutton, researchers at QiAnXin\u2019s XLab believe Winnti is responsible for the malware. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82916\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg?resize=1024,682 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg?resize=1536,1022 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg?resize=1014,675 1014w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-2.jpg?resize=1266,843 1266w\" sizes=\"(max-width: 1014px) 100vw, 1014px\"><figcaption> A hacker with China’s national flag in background. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"37.681047966632\"><body readability=\"75.883164673413\"><\/p>\n<p>Cybersecurity researchers at a China-based cybersecurity company have uncovered an advanced PHP backdoor that suggests a new asset in the arsenal of Chinese-linked Advanced Persistent Threat group Winnti.<\/p>\n<p>Researchers at QiAnXin\u2019s XLab <a href=\"https:\/\/blog.xlab.qianxin.com\/glutton_stealthily_targets_mainstream_php_frameworks-en\/\">discovered the backdoor<\/a>, which they titled Glutton, targeting China, the United States, Cambodia, Pakistan, and South Africa. After initially discovering the malware in April of this year, the company believes Glutton has been \u201cundetected in the cybersecurity landscape for over a year.\u201d <\/p>\n<p>Glutton is built with a modular design, which allows it to operate without leaving traditional digital footprints. All code execution occurs within PHP or a feature that optimizes PHP process handling on web servers, known as PHP-FPM (FastCGI). This ensures no file payloads are left behind and the backdoor stays undetected. <\/p>\n<p>When deployed, Glutton can be used to exfiltrate data or inject malicious code into widely used PHP frameworks, such as Baota, ThinkPHP, Yii, and Laravel.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The first clues related to Glutton surfaced in December 2023, when researchers traced unusual activity back to an IP address that was distributing a backdoor that targets Unix-like operating systems, more commonly known as ELF-based malware. Further research uncovered a malicious PHP file in the ELF-based malware. From there, researchers unraveled a network of related malicious PHP payloads, exposing an intricate attack infrastructure.<\/p>\n<p>XLab researchers wrote that the malware shares a connection with the Winnti group\u2019s historical activities. Yet, researchers pointed out that the malware has \u201cseveral shortcomings in stealth and execution, which seem uncharacteristically subpar\u201d for the APT group. Researchers pointed to including plaintext PHP samples and simplistic C2 communication protocols, which are normally outside Winnti\u2019s behavior. That aside, the researchers believe \u201cwith moderate confidence\u201d that Winnti is responsible for the malware. <\/p>\n<p>While XLab researchers detailed a formidable list of countries being targeted, they said Winnti \u201cdeliberately targeted systems within the cybercrime market\u201d to help spread the malware as far as possible. <\/p>\n<p>\u201cBy poisoning operations, they aimed to turn the tools of cybercriminals against them \u2014 a classic \u2018no honor among thieves\u2019 scenario,\u201d XLab researchers wrote. <\/p>\n<p>Piggy-backing off other threat actors\u2019 infrastructure has been a recurring theme in recently released research. Microsoft has published reports that found Turla, a Russian-linked APT group, has been using infrastructure initially set up by <a href=\"https:\/\/cyberscoop.com\/turla-infiltrates-pakistani-apt-networks-microsoft-lumen\/\">other APT groups<\/a> or <a href=\"https:\/\/cyberscoop.com\/turla-leverage-cybercriminal-tools-target-ukraine-microsoft\/\">cybercriminals<\/a> to run its own operations. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Winnti, also known as APT41, has long been linked to China. In 2019, Mandiant (then FireEye) <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/apt41-dual-espionage-and-cyber-crime-operation\/\">published a report<\/a> that suggested the group carried out operations on behalf of the Chinese government, while also freelancing in cybercrime. Researchers have found the group, among other operations, to be targeting <a href=\"https:\/\/cyberscoop.com\/winnti-trend-micro-china-gambling\/\">online gambling firms in China<\/a>, using Microsoft Exchange vulnerabilities to target <a href=\"https:\/\/cyberscoop.com\/famoussparrow-eset-microsoft-exchange-proxylogon\/\">hotels and governments around the world<\/a>, or <a href=\"https:\/\/cyberscoop.com\/world-wired-labs-winnti-netwire-china-blackberry-cylance\/\">standing up front companies to mask the use<\/a> of their RAT tools. <\/p>\n<p>You can read QiAnXin\u2019s research <a href=\"https:\/\/blog.xlab.qianxin.com\/glutton_stealthily_targets_mainstream_php_frameworks-en\/\">on the company\u2019s blog<\/a>. <\/p>\n<p> <\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.0217770034843\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/glutton-php-backdoor-winnti-apt-41-china\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PHP backdoor looks to be work of Chinese-linked APT group<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1546,3171,271,282,302,117,168,3332,3333,3334,288,3335],"tags":[1550,3173,277,286,306,119,169,3336,3337,3338,294,3339],"class_list":["post-6620","post","type-post","status-publish","format-standard","hentry","category-apt41","category-backdoor","category-china","category-cybercrime","category-geopolitics","category-government","category-malware","category-nation-state-hackers","category-php","category-qianxin","category-threats","category-winnti","tag-apt41","tag-backdoor","tag-china","tag-cybercrime","tag-geopolitics","tag-government","tag-malware","tag-nation-state-hackers","tag-php","tag-qianxin","tag-threats","tag-winnti"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/apt41\/\" rel=\"category tag\">APT41<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/backdoor\/\" rel=\"category tag\">backdoor<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nation-state-hackers\/\" rel=\"category tag\">nation-state hackers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/php\/\" rel=\"category tag\">php<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/qianxin\/\" rel=\"category tag\">QiAnXin<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/winnti\/\" rel=\"category tag\">Winnti<\/a>","tag_info":"Winnti","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6620"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6620\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6620,"date":"2024-12-16T13:14:58","date_gmt":"2024-12-16T19:14:58","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82916"},"modified":"2024-12-16T13:14:58","modified_gmt":"2024-12-16T19:14:58","slug":"php-backdoor-looks-to-be-work-of-chinese-linked-apt-group","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/12\/16\/php-backdoor-looks-to-be-work-of-chinese-linked-apt-group\/","title":{"rendered":"PHP backdoor looks to be work of Chinese-linked APT group"},"content":{"rendered":"