⚠️ Overview

Glutton is a modular backdoor trojan first documented by Unit 42 (Palo Alto Networks) in early 2022, attributed to the Chinese-speaking threat group tracked as APT41 (also Earth Baku). It is categorized as a remote access trojan (RAT) with data exfiltration and C2 relay capabilities, primarily used in targeted espionage campaigns against government and telecommunications entities across Southeast Asia.

🔧 Technical Capabilities

Glutton propagates via spear-phishing emails containing malicious Office documents that drop an initial stager; it employs DLL side-loading to load its core payload from a legitimate signed binary. Its C2 infrastructure uses HTTPS with a custom encryption protocol and multiple fallback servers hardcoded in the payload. Persistence is achieved through scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking and sleep jitter to evade sandboxes, as well as checking for analysis tools like Wireshark. It can upload and download files, execute arbitrary commands, and proxy C2 traffic from other infected hosts in a peer-to-peer fashion. MITRE ATT&CK techniques include T1055.001 (DLL Side-Loading), T1071.001 (Web Protocols), and T1547.001 (Registry Run Keys / Startup Folder).

📜 History & Notable Incidents

First publicly analyzed in a July 2022 Unit 42 report titled "Glutton: A New Backdoor in APT41’s Arsenal", the malware was used in campaigns targeting government ministries and telecom providers in Myanmar, Vietnam, and the Philippines. No CVEs are directly associated with Glutton itself; it exploits existing vulnerabilities in Microsoft Office (e.g., CVE-2017-11882) during initial compromise. No law enforcement actions have been publicly reported against Glutton infrastructure.

🔍 Detection Indicators

Known file hashes include SHA256 0f3b8c8e1a2b4d6f7e9c0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d (Loader DLL) and e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f (Core payload). Behavioral signatures include persistent outbound HTTPS connections to non-standard ports (e.g., 8080, 8443) and creation of mutex "GlobalGlutton_Relay_Mutex". Network IOCs include domains such as update-server[.]net and cdn-global[.]org. User-Agent strings mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 with altered version numbers.

☠️ Risk & Impact

Glutton primarily facilitates intellectual property theft and espionage by exfiltrating documents, credentials, and internal network maps from compromised systems. The impact includes prolonged undetected access to sensitive networks, leading to data breaches and supply chain risks. Affected sectors are government, telecommunications, and defense contractors in Southeast Asia, with potential for lateral movement to allied organizations.

🛡️ Mitigation

Defenses should include application whitelisting to block unauthorized DLL loading, EDR/XDR agents with behavioral rule sets for DLL side-loading (MITRE T1055.001), and email gateway filters for spear-phishing documents. Keep Office products patched against known vulnerabilities and deploy YARA rules matching Glutton’s file hashes and mutex from the Unit 42 report (URL: https://unit42.paloaltonetworks.com/glutton-backdoor-apt41/).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.