Gelsemium

Malware Profile Updated 12 days ago
Download STIX
Preview STIX
Gelsemium is a sophisticated malware associated with Advanced Persistent Threat (APT) activities. It is known for its stealthy operations and the use of server-side exploits to deploy a web shell and multiple custom tools on targeted systems. The malware has been used in cyber-attacks against various organizations, including those in Palestine, Tajikistan, Kyrgyzstan, and more recently, it is suspected to be behind a targeted attack on a Southeast Asian Government. The Gelsemium group utilizes both custom and public tools in their operations, often deploying them with stealth techniques and technologies. One such tool identified is 'EarthWorm', an open-source SOCKS proxy tunneller available on GitHub. This tool has been utilized by multiple China-linked APT groups in the past, including 'Volt Typhoon', 'APT27', and 'Gelsemium' itself. The group's modus operandi typically involves server-side exploitation, leading to the creation of a webshell which then allows for further infiltration and control over the compromised system. In recent times, Gelsemium has featured prominently in cyber threat landscapes. Notably, it was highlighted in the same quarter as Kimsuky's usage of the Golang-based backdoor Durian in a supply-chain attack in South Korea, and other campaigns focused on the Middle East. These instances indicate the active and persistent nature of Gelsemium, making it a significant threat to cybersecurity worldwide.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Taurus
3
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
Stately Taurus
2
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a potent malware linked to Chinese Advanced Persistent Threat (APT) activities. The first signs of its operation date back to at least 2012, with notable activity traced to Marc
Alloy Taurus
2
Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Backdoor
Proxy
Malware
Asia
Government
Iis
Tool
Asian
Reconnaissance
Eset
Securityweek
Exploit
Implant
Webshell
Web Shell
Source
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Granite TyphoonUnspecified
1
Granite Typhoon is a notable malware that has been implicated in several cyber-attacks on various organizations and entities. The malware, which operates by infiltrating systems through suspicious downloads, emails, or websites, has been linked to attacks on telecommunications firms in 2023, an oper
Iron TaurusUnspecified
1
Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio
ASPXSpyUnspecified
1
ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Volt TyphoonUnspecified
1
Volt Typhoon, a threat actor linked to China, has been identified as a significant cyber threat with strong operational security. Known for their sophisticated Advanced Persistent Threat (APT) activities, this group has been associated with the KV-Botnet and has remained undetected within U.S. infra
APT27Unspecified
1
APT27, also known as Iron Taurus, is a Chinese threat actor group that primarily engages in cyber operations with the goal of intellectual property theft. The group targets multiple organizations worldwide, including those in North and South America, Europe, and the Middle East. APT27 utilizes vario
Iron TigerUnspecified
1
Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group known for executing malicious actions with the intent of espionage. The group became prominent after its involvement in Operation Iron Tiger, which was reported in 2015. This operation was a series of Chinese cyber-espionage att
Mustang PandaUnspecified
1
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
KimsukyUnspecified
1
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gelsemium Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
6 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
6 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
12 days ago
Security Affairs Malware Newsletter - Round 2
Securityaffairs
20 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
a month ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Velvet Ant uses F5 BIG-IP malware in cyber espionage campaign
Securityaffairs
a month ago
Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
2 months ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading
3 months ago
'The Mask' Espionage Group Resurfaces After 10-Year Hiatus
Securelist
3 months ago
APT trends report Q1 2024 – Securelist
Securityaffairs
3 months ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
4 months ago
Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 463 by Pierluigi Paganini
Securityaffairs
5 months ago
Security Affairs newsletter Round 462 by Pierluigi Paganini
Securityaffairs
5 months ago
Security Affairs newsletter Round 461 by Pierluigi Paganini