{ "id": "71b7e477-9ba1-49b3-af8f-d27db9701547", "created_at": "2026-04-06T00:11:15.115222Z", "updated_at": "2026-04-10T03:32:21.377704Z", "deleted_at": null, "sha1_hash": "d47bdebe26d6a9315060fbc0652acfd3451e6c2f", "title": "Glutton: A New Zero-Detection PHP Backdoor from Winnti Targets Cybercrimals", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2807078, "plain_text": "Glutton: A New Zero-Detection PHP Backdoor from Winnti\r\nTargets Cybercrimals\r\nBy Alex.Turing\r\nPublished: 2024-12-12 · Archived: 2026-04-05 21:55:28 UTC\r\nIntroduction\r\nOn April 29, 2024, XLab's Cyber Threat Insight and Analysis System(CTIA) detected anomalous activity: IP\r\n172.247.127.210 was distributing an ELF-based Winnti backdoor. Further investigation revealed the same IP\r\nhad, on December 20, 2023, distributed a zero-detection malicious PHP file, init_task.txt, providing a key lead for\r\nthe analysis.\r\nUsing init_task as a lead, we identified a series of associated malicious PHP payloads, including\r\ntask_loader , init_task_win32 , client_loader , client_task , fetch_task , and l0ader_shell . These\r\npayloads are highly modular, capable of functioning independently or being executed sequentially via\r\ntask_loader to form a comprehensive attack framework. All code execution occurs within PHP or PHP-FPM\r\n(FastCGI) processes, ensuring no file payloads are left behind, thus achieving a stealthy footprint. This\r\ninvestigation uncovered a previously undocumented advanced PHP backdoor, which we named Glutton due to\r\nits ability to infect large numbers of PHP files and implant l0ader_shell . The core functionalities of Glutton\r\ninclude:\r\n1. Data Exfiltration\r\nSystem information, such as OS versions and PHP versions.\r\nSensitive Baota panel data, including credentials and management interface details.\r\n2. Backdoor Installation\r\nAn ELF-based Winnti backdoor.\r\nPHP-based backdoors.\r\n3. Code Injection\r\nMalicious code injection targeting popular PHP frameworks like Baota (BT), ThinkPHP, Yii, and\r\nLaravel.\r\nThe ELF sample ac290ca4b5d9bab434594b08e0883fc5 that triggered the alert was delivered by Glutton's\r\ninit_task component. This sample shares near-complete similarity with the PWNLNX tool discussed in\r\nBlackBerry's report \"Decade of the RATs\" and samples mentioned in IntezerLabs' September 23, 2020 tweet.\r\nMost security vendors currently classify this sample as a Winnti backdoor.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 1 of 22\n\nAs a hallmark tool of the APT group Winnti, the Linux variant has not been observed in use by other hacking\r\ngroups since its initial disclosure in 2019. The campaign's C2 server 156.251.163[.]120 remained active during\r\nthe attack, properly responding to network requests and establishing interactions with the backdoor. This, coupled\r\nwith the specificity of the sample and the C2's functionality, effectively rules out the possibility of interference\r\nfrom unrelated cybercriminal groups using dormant samples.\r\nKey observations include:\r\nSample specificity: The Winnti backdoor is a signature tool of the Winnti group, with no evidence of\r\ncirculation among other cybercriminal entities.\r\nC2 effectiveness: The C2 server was fully operational, confirming the attack's authenticity.\r\nBased on the veracity of the Winnti backdoor and Glutton’s delivery mechanisms, it is theoretically plausible to\r\nattribute Glutton to the APT group Winnti. However, from a technical perspective, Glutton demonstrates several\r\nshortcomings in stealth and execution, which seem uncharacteristically subpar:\r\n1. Lack of encrypted C2 communications: The protocol is overly simplistic and easy to reverse-engineer.\r\n2. Downloader communication over HTTP: The lack of HTTPS makes traffic interception or monitoring\r\ntrivial.\r\n3. Unobfuscated PHP samples: The samples are in plaintext source code, making their functionality directly\r\nreadable.\r\n4. Weak infrastructure deception: The domain used ( thinkphp1[.]com ) is poorly disguised.\r\nIn summary, while Glutton’s delivery mechanisms strongly align with the Winnti group, its lack of stealth and\r\nsimplistic implementation introduce uncertainty. Attribution must account for the complexity of the cybercrime\r\nlandscape and the inherent delays in defense-side intelligence. To avoid misleading conclusions based on isolated\r\nevidence, we adopt a conservative approach, attributing Glutton to the Winnti group with moderate confidence as\r\na potential new weapon in their arsenal.\r\nVictims\r\nInfections caused by Glutton were identified through requests to its C2 server, cc.thinkphp1[.]com . Our\r\nanalysis shows that victims were primarily located in China and the United States, spanning industries such as IT\r\nservices, business operations, and social security.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 2 of 22\n\n\"No Honor Among Thieves\"\r\nInterestingly, our investigation revealed that Glutton’s creators deliberately targeted systems within the cybercrime\r\nmarket. By poisoning operations, they aimed to turn the tools of cybercriminals against them—a classic \"no honor\r\namong thieves\" scenario.\r\nIn July 2024, we conducted a VirusTotal hunt using the signature \"b11st=0;\" , which led to the discovery of five\r\ninfected files uploaded from different countries:\r\nIndex MD5 Detection First Seen Country\r\n1 3f8273575d4c75053110a3d237fda32c 2/65 2024-08-11 China\r\n2 c1f6b7282408d4dfdc46e22bbdb3050f 0/59 2024-09-17 Germany\r\n3 96fef42b234920f3eacfe718728b08a1 0/63 2024-10-14 Singapore\r\n4 ad150541a0a3e83b42da4752eb7e269b 1/62 2024-11-02 United States\r\n5 ad0d88982c7b297bb91bb9b4759ce0ab 4/41 2024-11-27 United States\r\nFiles 1–3 were standalone PHP scripts, while files 4–5 were archives containing full-fledged business systems. Of\r\nthese, file 4 stood out as a fraudulent click-farming platform, a common tool in online scams. The malicious code,\r\nl0ader_shell , was embedded in the APP.php file of the ThinkPHP framework.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 3 of 22\n\nThe VirusTotal analysis revealed that the parent archive was shuadan109.timibbs.cc_20241026_175636.tar.gz .\r\nThis led us to its download page, where it was being sold for 980 USDT.\r\nThe archive was hosted on Timibbs, a forum infamous for selling cybercrime tools and resources, including\r\nscripts for gambling, gaming, fake cryptocurrency exchanges and click-farming operations—all sold at premium\r\nprices.\r\nWhile we didn’t verify whether the VirusTotal sample perfectly matches the code sold on Timibbs ( 980USDT felt\r\nlike a poor investment, LOL ), the relationship between Glutton’s creators and the forum appears to follow one\r\nof several possibilities:\r\n1. The hacker is a customer, purchasing tools from the forum and embedding malicious code.\r\n2. The hacker breached the forum, injecting backdoors into shared resources.\r\n3. The hacker collaborates with the forum, co-developing compromised systems.\r\n4. The hacker operates independently, with their tools later added to the forum.\r\nRegardless of the details, one thing is clear: Glutton’s authors exploited the cybercrime ecosystem itself, using\r\npoisoned tools to turn cybercrime operators into unwitting pawns. Their strategy might be best summarized like\r\nthis:\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 4 of 22\n\n\"Why should these small-time scammers in gambling and click-fraud get all the money? Let's\r\nrob them blind! Here’s the plan: flood the market with backdoored systems, let them\r\nunknowingly ‘work’ for us, and then cash out big-time. Even if they figure it out, they won’t\r\ndare report it. Absolutely brilliant!”\r\nAnalysis of Glutton\r\nWe have captured multiple components of Glutton, including task_loader , init_task , client_loader ,\r\nclient_task , fetch_task , and l0ader_shell (note: names like client_loader , client_task , and\r\nfetch_task are assigned based on their observed functionality). Each file contains approximately 3000 lines of\r\ncode, none of which are encrypted or obfuscated, making their functionality relatively easy to analyze. This report\r\nwill focus on the core functional code; readers interested in more details can refer to the full source code for\r\ndeeper insights.\r\nModular Framework Design\r\nThese PHP components can operate independently or interact through task_loader as an entry point,\r\nincrementally loading other modules to construct a fileless attack framework. The framework’s core capabilities\r\ninclude:\r\n1. Infecting PHP files on the target device.\r\n2. Deploying backdoors, including the Winnti backdoor and a PHP backdoor.\r\nThis modular design not only enhances the adaptability of the attack but also makes it harder to detect and trace\r\nduring defensive operations.\r\nWe speculate that the attackers use multiple methods to spread Glutton, including:\r\nExploiting traditional 0DAY and NDAY vulnerabilities.\r\nLeveraging weak password brute-forcing techniques.\r\nDistributing pre-compromised business systems with embedded l0ader_shell via cybercrime source\r\ncode forums, enabling targeted attacks on the cybercrime ecosystem itself.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 5 of 22\n\nIndicators of Glutton Infection\r\nInfected devices exhibit the following signs:\r\n1. File-Level Indicators:\r\nPHP files are injected with l0ader_shell .\r\n2. Process-Level Indicators:\r\nA Winnti backdoor process ( php-fpm ) listens on UDP port 6006.\r\nA PHP backdoor process ( [kworker/0:0HC] ) communicates over UDP.\r\nPart1: task_loader\r\nThe task_loader module plays a pivotal role in Glutton’s attack chain. Its primary function is to assess the\r\nexecution environment and use different methods to download and execute the next-stage payload based on the\r\ndetected environment. Key functions include:\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 6 of 22\n\n1. run_task_by_system\r\n2. run\u0026get_php_code\r\n3. run_task_by_fpm\r\n4. run_task_direct\r\nFunctional Overview\r\nThe table below summarizes the behavior of each function:\r\nFunction Path Execution Environment\r\nrun_task_by_system /v11/init_task.gz New PHP process\r\nrun\u0026get_php_code /v11/init_task.gz FastCGI\r\nrun_task_direct /v11/modify_php_v11.gz Original PHP process\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 7 of 22\n\nDetails of Payloads\r\n1. init_task\r\nDownloaded by both run_task_by_system and run\u0026get_php_code .\r\nServes as the primary payload for further infection.\r\n2. modify_php\r\nDownloaded by run_task_direct .\r\nA subset of init_task , optimized for specific modifications to the environment.\r\nPart2: init_task\r\nThe init_task module performs three critical tasks:\r\n1. elf_install : Downloads and executes the Winnti backdoor.\r\n2. bt_modify : Infects Baota (BT) panels to collect sensitive information and modify system files.\r\n3. php_modify : Infects PHP files to embed code for subsequent payload delivery.\r\n0x01: elf_install Task\r\nThe elf_install task downloads the Winnti backdoor, masquerading it as /lib/php-fpm . To achieve\r\npersistence, it appends the following command to /etc/init.d/network :\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 8 of 22\n\nexport OLD=$PATH; export PATH=/usr/lib/; php-fpm; export PATH=$OLD;\r\nObserved Download URLs and MD5\r\nURL MD5\r\n172.247.127[.]210/v10/php-fpm ac290ca4b5d9bab434594b08e0883fc5\r\nv6.thinkphp1[.]com/v11/php-fpm ac290ca4b5d9bab434594b08e0883fc5\r\nv20.thinkphp1[.]com/static/v20/php-fpm ac290ca4b5d9bab434594b08e0883fc5\r\nThe ac290ca4b5d9bab434594b08e0883fc5 sample closely resembles the one exposed by BlackBerry, with\r\nadditional functionality for updating C2 configurations and samples. The C2 configurations are encrypted with\r\nrolling XOR (key: CB2FA36AAA9541F0 ) and decrypt to: 156.251.163[.]120\r\nThe IP has since become inactive, but historical evidence confirms it previously responded to Winnti network\r\nrequests, indicating its role as a legitimate Winnti C2.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 9 of 22\n\n0x02: bt_modify Task\r\nThe bt_modify task targets Baota (BT) panels, performing two primary functions: find_all and do_midify .\r\nfind_all\r\nCollects sensitive information, compresses and uploads the data to the C2 server.\r\nadmin_path bt_apass basic_auth basic_pass basic_user\r\nbt_clients crontabs databases bt_dir bt_domain\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 10 of 22\n\nadmin_path bt_apass basic_auth basic_pass basic_user\r\nbt_ftps bt_https bt_mobile mysql_root bt_pass_md5\r\nbt_passwd phpmyadmin bt_port bt_sites bt_sites_path\r\nbt_ssh bt_user_md5 bt_username\r\nThe traffic generated during this process is URL-encoded and compressed. Using tools like CyberChef (URL\r\ndecode + raw inflate) allows for data reconstruction.\r\ndo_modify\r\nModifies critical BT panel files such as init.py , public.py , and userlogin.py , chieves objectives like:\r\ncredential theft, token harvesting, exposing sensitive assets.\r\nKey Modifications\r\nCredential theft: Inserts code to extract login credentials and tokens.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 11 of 22\n\nAsset exposure: Alters configuration to expose sensitive assets.\r\n0x03: php_modify Task\r\nThe php_modify task targets popular PHP frameworks such as ThinkPHP, Yii, Laravel, and Dedecms, injecting\r\nmalicious code for further payload execution.\r\nModification Logic\r\nSearches for predefined $ref_line locations in the PHP framework code, inserts the v11_code at these\r\nlocations.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 12 of 22\n\nIf no $ref_line matches, appends v11_code to the end of the file.\r\nv11_code Structure\r\nThe v11_code consists of three parts:\r\n1. v11_begin : b11st=0;\r\n2. PHPCODE_MAIN : Encodes a l0ader function.\r\n3. v11_end : b11end=0;\r\nThe l0ader function has two primary roles:\r\n1. Reporting\r\nSends host information and page access parameters via UDP to v6.thinkphp1[.]com:9988 .\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 13 of 22\n\n2. Downloading the Next-Stage Payload\r\nConstructs an HTTP request to download and execute the client_loader payload.\r\nTraffic Analysis\r\nThe traffic generated during this process includes:\r\n1. UDP Traffic: Transmits host and access information.\r\n2. HTTP Requests: Retrieves the next payload ( client_loader ).\r\nPart3: client_loader\r\nThe client_loader module is essentially a refactored version of init_task , retaining all of its core\r\nfunctionalities while introducing notable changes in code organization and additional features.\r\nThe first significant change lies in the php_modify task, where the l0ader function's code is now obfuscated,\r\nunlike its straightforward implementation in init_task .\r\nThe obfuscation adds a layer of complexity, making reverse-engineering more challenging for defenders.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 14 of 22\n\nThe core functionality of the l0ader function remains unchanged; however, the network infrastructure used for\r\ncommunication has been updated.\r\nModule Reporter Downloader\r\ninit_task udp://v6.thinkphp1[.]com:9988 v6.thinkphp1[.]com/php?\r\nclient_loader udp://v20.thinkphp1[.]com:9988 v20.thinkphp1[.]com/init?\r\nThe most notable enhancement in client_loader is the introduction of a new capability: downloading and\r\nexecuting a backdoored client.\r\nWhy Add a Backdoored Client?\r\nOne might wonder why the attackers introduced a backdoored client when the Winnti backdoor was already\r\ndeployed. The reasoning becomes clear when considering the broader objectives and the advantages of a PHP-based backdoor:\r\n1. Cross-Platform Compatibility\r\nUnlike the ELF-based Winnti backdoor, the PHP client can operate seamlessly across Linux,\r\nWindows, and macOS systems.\r\n2. Fileless Payload Delivery\r\nBy leveraging PHP for backdoor functionalities, the attackers achieve higher stealth through fileless\r\nexecution, reducing the likelihood of detection.\r\n3. AV Evasion\r\nAntivirus engines often lack robust signatures for PHP-based malicious samples, allowing the PHP\r\nclient to bypass traditional defenses.\r\nPart4: client_task\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 15 of 22\n\nThe client_task module is responsible for two primary tasks:\r\n1. Launching a PHP backdoor.\r\n2. Periodically executing the fetch_task function to retrieve and execute additional payloads.\r\n0x01: PHP Backdoor\r\nThe PHP backdoor functionality is implemented using the client_socket class, which provides a framework\r\nfor backdoor operations.\r\nCore Features\r\n1. C2 Communication\r\nHardcoded C2: cc.thinkphp1.com:9501 .\r\nSupports both TCP and UDP, defaulting to UDP for communication.\r\n2. Command Execution\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 16 of 22\n\nThe client_v1 class extends client_socket , using the process_std_cmd_v1 class to process\r\ncommands from the C2 server.\r\n3. Supported Commands\r\nThe backdoor supports 22 distinct commands, as shown below:\r\nID Function\r\n1 ping (UDP only)\r\n2 pong (UDP only)\r\n10 login\r\n31 keepalive\r\n148 set connection config\r\n149 switch connection to TCP\r\n150 switch connection to UDP\r\n151 shell\r\n152 upload/download file via TCP\r\n189 get_temp_dir\r\n190 scandir\r\n191 get dir info\r\n192 mkdir\r\n193 write file\r\n194 read file\r\n195 create file\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 17 of 22\n\nID Function\r\n196 rm\r\n197 copy file\r\n198 rename file\r\n199 chmod\r\n200 chown\r\n201 eval PHP code\r\nCommunication Protocol\r\nUDP Communication:\r\nIncludes an additional \"liveness check\" process with a ping from the client and a pong response\r\nfrom the server.\r\nTypical interaction sequence: ping → pong → login → cmd → heartbeat .\r\nPacket Structure:\r\nThe first byte ( magic ) indicates compression, the second byte specifies the command code.\r\n0xf0 : No compression.\r\n0xf1 : Compression enabled (used for data \u003e32 bytes).\r\nLogin Command:\r\nContains host metadata such as host_user , host_os , host_name , and host_cwd . For\r\ncompressed data ( 0xf1 ), the payload is parsed using \"Raw Inflate\"\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 18 of 22\n\n0x02: fetch_task\r\nThe fetch_task function is executed hourly. It retrieves and executes additional PHP payloads by making an\r\nHTTP request to the remote server.\r\nPayload Retrieval Process\r\nURL: http://v20.thinkphp1.com/v20/fetch .\r\nThe response contains compressed PHP code, which is decompressed and executed.\r\nObserved Payloads\r\nCurrently, the fetch_task function retrieves the client_loader payload, identified by the MD5 hash\r\n69ed3ec3262a0d9cc4fd60cebfef2a17.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 19 of 22\n\nEaster Eggs in Glutton’s Campaign\r\njklwang.com\r\nThe do_tp5_request function in Glutton is used to clean up infections in older versions of the Request.php\r\nfile. By analyzing the $ref_lines in the code, it was discovered that the domain jklwang.com (0 detections on\r\nVirusTotal) is also part of Glutton’s infrastructure.\r\nThis suggests that Glutton’s operators maintain a wider network of assets than initially detected, enabling them to\r\nextend their campaign reach.\r\nHackBrowserData\r\nOn June 14, the domain v20.thinkphp1.com was observed distributing a macOS version of the\r\nHackBrowserData tool.\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 20 of 22\n\nAbout HackBrowserData\r\nA legitimate tool designed to decrypt and export browser-stored data, including: Passwords,Browsing\r\nhistory,Cookies, etc.\r\nWe hypothesize that HackBrowserData was deployed as part of a \"black eats black\" strategy. When\r\ncybercriminals attempt to locally debug or modify backdoored business systems, Glutton’s operators deploy\r\nHackBrowserData to steal high-value sensitive information from the cybercriminals themselves. This creates a\r\nrecursive attack chain, leveraging the attackers’ own activities against them.\r\nConclusion\r\nBased on the initial discovery of init_task , we estimate that Glutton has been active undetected in the\r\ncybersecurity landscape for over a year. In addition to targeting traditional “whitehat” victims through cybercrime,\r\nGlutton demonstrates a strategic focus on exploiting cybercrime resources operators. Its authors exhibit clear\r\nambitions to \"win three times\", reflected in the following:\r\n1. Stealing high-value sensitive information from cybercrime operators.\r\n2. Profiting from the cybercrime industry itself, leveraging infected systems for significant economic gain.\r\n3. Harvesting sensitive data on crbercrime participants to enable future phishing or social engineering\r\ncampaigns.\r\nTo mitigate the threat posed by Glutton, we recommend that system administrators take the following steps to\r\nidentify and neutralize potential infections:\r\n1. Inspect all PHP files for signs of l0ader_shell .\r\n2. Remove malicious processes, including the Winnti backdoor process and the PHP backdoor process.\r\n3. Harden temporary directories by creating a .donot file in /tmp to prevent exploitation.\r\nThis analysis represents the extent of our current understanding of the Glutton backdoor. Due to limited visibility,\r\nits initial access vector remains unclear. We invite contributions from partners and readers with relevant\r\nintelligence to help enrich the technical and tactical matrix of Glutton and improve attribution efforts.\r\nIf you are interested in our research, feel free to connect with us via Platform X to share insights or discuss\r\ncollaborative opportunities. Together, we can work towards strengthening global cybersecurity.\r\nIOC\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 21 of 22\n\nMD5\r\n17dfbdae01ce4f0615e9a6f4a12036c4 - task_load\r\n8fe73efbf5fd0207f9f4357adf081e35 - init_task\r\n8e734319f78c1fb5308b1e270c865df4 - init_task\r\n31c1c0ea4f9b85a7cddc992613f42a43 - init_task_win32\r\n722a9acd6d101faf3e7168bec35b08f8 - client_loader\r\n69ed3ec3262a0d9cc4fd60cebfef2a17 - client_loader\r\nf8ca32cb0336aaa1b30b8637acd8328d - client_task\r\n00c5488873e4b3e72d1ccc3da1d1f7e4 - v11_l0ader_shell\r\n4914b8e63f431fc65664c2a7beb7ecd5 - v20_l0ader_shell\r\n6b5a58d7b82a57cddcd4e43630bb6542 - modify_php\r\nba95fce092d48ba8c3ee8456ee4570e4 - hack-browser-data-darwin-arm64\r\nac290ca4b5d9bab434594b08e0883fc5 - winnti backdoor\r\nC2\r\ncc.thinkphp1[.]com\r\n156.251.163[.]120\r\nDownloader\r\nIP\r\n172.247.127.210\r\nURL\r\nv6.thinkphp1[.]com/php?\r\nv20.thinkphp1[.]com/v20/init?\r\nv20.thinkphp1[.]com/v20/fetch?\r\nReporter\r\nudp://jklwang.com:9999\r\nudp://{v6|v20}.thinkphp1[.]com:9988\r\nhttp://{v6|v20}.thinkphp1[.]com/bt\r\nhttp://{v6|v20}.thinkphp1[.]com/msg\r\nhttp://{v6|v20}.thinkphp1[.]com/save\r\nhttp://v6.thinkphp1[.]com/client/bt\r\nSource: https://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nhttps://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/" ], "report_names": [ "glutton_stealthily_targets_mainstream_php_frameworks-en" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434275, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d47bdebe26d6a9315060fbc0652acfd3451e6c2f.pdf", "text": "https://archive.orkl.eu/d47bdebe26d6a9315060fbc0652acfd3451e6c2f.txt", "img": "https://archive.orkl.eu/d47bdebe26d6a9315060fbc0652acfd3451e6c2f.jpg" } }