Gelsemium

Description

(ESET) The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies .Gelsemium’s name comes from one possible translation we found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time .It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which we chose as names for the three components of this malware family.

Names

Name	Name-Giver
Gelsemium	ESET

Country

• China

Motivation

• Information theft and espionage

First Seen

2014

Observed Sectors

• Education
• Gaming
• Government
• High-Tech
• NGOs
• religious organizations

Observed Countries

• Argentina
• Brunei
• China
• Djibouti
• Egypt
• Equatorial Guinea
• Hong Kong
• Indonesia
• Iran
• Iraq
• Israel
• Japan
• Jordan
• Kenya
• Laos
• Lebanon
• Malaysia
• Mongolia
• Nigeria
• North Korea
• Oman
• Pakistan
• Russia
• Saudi Arabia
• South Korea
• Sri Lanka
• Swaziland
• Syria
• Taiwan
• Thailand
• Turkey
• UAE
• UK
• Vietnam
• Yemen

Tools

• ASPXSpy
• BadPotato
• China Chopper
• Chrommme
• EarthWorm
• Cobalt Strike
• FireWood
• Gelsemine
• Gelsenicine
• Gelsevirine
• JuicyPotato
• Owowa
• OwlProxy
• reGeorg
• SessionManager
• SpoolFool
• SweetPotato
• WolfsBane

Operations

• 2014: Operation “TooHash” https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf
• 2021-01: Operation “NightScout” A new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide. https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/
• 2021-12: Kaspersky discovers poorly detected backdoor, targeting governments and NGOs around the globe https://www.kaspersky.com/about/press-releases/2022_kaspersky-discovers-poorly-detected-backdoor-targeting-governments-and-ngos-around-the-globe
• 2022 Mid: Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/
• 2023: Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/

Information

• https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf
• https://www.venustech.com.cn/uploads/2018/08/231401512426.pdf

Other Information

Uuid

80d60b05-bf0a-4630-afa8-666fa6f72147

Last Card Change

2024-12-26