The XLab threat detection system uncovered an advanced PHP trojan named Glutton, which has been active for over a year without detection. Glutton targets both legitimate businesses and cybercriminal operations, infiltrating popular PHP frameworks like ThinkPHP and Laravel. It employs modular components for information theft, backdoor installation, and code injection. The malware can deploy both ELF-based Winnti backdoors and PHP-based backdoors, demonstrating cross-platform capabilities. Notably, Glutton also targets black market operations by infecting their systems, potentially aiming to steal from cybercriminals themselves. The attack framework operates without leaving files on disk, making detection challenging.