Gelsemium

Malware updated 2 months ago (2024-11-29T13:45:16.110Z)
Download STIX
Preview STIX
Gelsemium is a highly sophisticated malware associated with an Advanced Persistent Threat (APT) group that has been active since at least 2014. This entity, known for its long-term, targeted attacks, is suspected to be behind a series of cyber-espionage incidents aimed at Southeast Asian governments. The initial access method used by the Gelsemium APT group remains unclear, but it's believed that the attackers exploited an unknown web application vulnerability. This China-linked APT group has deployed a previously unknown Linux backdoor, WolfsBane, in attacks targeting East and Southeast Asia. WolfsBane is a Linux version of Gelsevirine, a Windows backdoor used by Gelsemium APT. It serves as a stealthy loader designed to infiltrate targeted systems and enable the deployment of additional malware modules. Its dropper, equivalent to the Gelsemine dropper, incorporates a concealment mechanism derived from an open-source userland rootkit. These tools mirror Gelsemium’s Windows tools for cyberespionage, targeting sensitive data while evading detection. Alongside WolfsBane, another Linux-ported backdoor, FireWood, was observed. Experts attribute FireWood to Gelsemium with low confidence, considering it could be a tool shared among multiple China-linked APTs. Regardless, these advanced tools have been attributed by ESET to the notorious Gelsemium APT group, a cyber-espionage entity with a history of targeting government, business, and critical infrastructure sectors.
Description last updated: 2024-11-28T11:56:08.086Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Backdoor
Malware
Linux
Proxy
Exploit
Windows
Government
Asia
Iis
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Stately Taurus Malware is associated with Gelsemium. Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's is related to
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alloy Taurus Threat Actor is associated with Gelsemium. Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, duris related to
2
Source Document References
Information about the Gelsemium Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
2 months ago
InfoSecurity-magazine
2 months ago
DARKReading
2 months ago
InfoSecurity-magazine
2 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
DARKReading
9 months ago
Securelist
9 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago
Securityaffairs
10 months ago