Full Report
The Chinese Winnti hacking group is using a new PHP backdoor named 'Glutton' in attacks on organizations in China and the U.S., and also in attacks on other cybercriminals. [...]
Analysis Summary
The provided context is a description of an article headline and surrounding website boilerplate, not the actual content of the article detailing the threat actor's activities, TTPs, or targeting information. Therefore, the summary below will be based *only* on the explicit information derivable from the headline: "Winnti hackers target other threat actors with new Glutton PHP backdoor."
# Threat Actor: Winnti
## Attribution & Identity
The threat actor is identified as **Winnti**. The article implies a connection to the development and deployment of the "Glutton PHP backdoor."
## Activity Summary
The primary activity detailed is that Winnti is actively targeting **other threat actors** using a newly identified mechanism. This suggests Winnti may be engaging in supply chain attacks against other cybercriminal entities or leveraging compromised infrastructure managed by different groups.
## Tactics, Techniques & Procedures
- Deployment of a new PHP backdoor named **Glutton**.
- Targeting of other threat actors (an unusual operational pivot).
- *Note: Specific TTPs or MITRE ATT&CK IDs are not present in the provided context.*
## Targeting
- Sectors: **Other Threat Actors** (implying initial access or compromise into systems used by other groups).
- Geography: Not specified.
- Victims: Not specified beyond the category of "other threat actors."
## Tools & Infrastructure
- Malware families used: **Glutton PHP backdoor**.
- Infrastructure: Not specified in the context.
## Implications
The use of the Glutton backdoor against other threat actors suggests a high degree of operational security sophistication by Winnti, possibly aimed at maintaining persistence within compromised organizations that might be shared, or eliminating rival access points/tools. This represents an evolution in their targeting strategy.
## Mitigations
- Organizations should implement robust monitoring for suspicious PHP web shells/backdoors, especially in publicly facing web applications.
- Security teams should monitor for indicators associated with the "Glutton" backdoor if further technical details emerge.