- ESET researchers have identified multiple samples of the Linux backdoor WolfsBane and attributed it to Gelsemium, a China-aligned APT group
- The goal of these backdoors and tools is cyberespionage, targeting sensitive data such as system information, user credentials, and specific files and directories.
- The samples originated from Taiwan, the Philippines, and Singapore.
- WolfsBane is a Linux version of Gelsevirine, a Windows backdoor used by Gelsemium.
- The second backdoor, which ESET has named FireWood, is connected to Project Wood. The Windows version of the Project Wood backdoor has been previously used by the Gelsemium group.
BRATISLAVA — November 21, 2024 — ESET researchers have identified multiple samples of a Linux backdoor, which they named WolfsBane and can confidently attribute to Gelsemium, a China-aligned advanced persistent threat (APT) group. The goal of the backdoors and tools that have been discovered is cyberespionage, they are being used to target sensitive data such as system information, user credentials, and specific files and directories. These tools are designed to maintain persistent access and execute commands stealthily, enabling prolonged intelligence gathering while evading detection. ESET discovered the samples at VirusTotal; they were uploaded from Taiwan, the Philippines, and Singapore, likely originating from an incident response on a compromised server. Gelsemium has previously targeted entities in Eastern Asia and the Middle East. This China-aligned threat actor has a known history dating back to 2014 but until now, there have been no public reports of Gelsemium using Linux malware.
ESET researchers also discovered a second Linux backdoor, which has been named FireWood. However, FireWood cannot be definitively linked to other Gelsemium tools, and its presence in the analysed archives might be coincidental. Therefore, ESET attributes FireWood to Gelsemium with low confidence, considering that it could be a tool shared among multiple China-aligned APT groups.
“The most notable samples we found in archives uploaded to VirusTotal are two backdoors resembling known Windows malware used by Gelsemium. WolfsBane is the Linux counterpart of Gelsevirine, while FireWood is connected to Project Wood. We also discovered other tools potentially related to Gelsemium’s activities,” says ESET researcher Viktor Šperka, who analysed Gelsemium’s latest toolset. “The trend of APT groups to focus on Linux malware is becoming more noticeable. We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response tools, and Microsoft’s decision to disable Visual Basic for Applications macros by default. Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux,” explains Šperka.
The first backdoor, WolfsBane, is a part of a simple loading chain consisting of the dropper, launcher, and backdoor. Part of the analysed WolfsBane attack chain is also a modified open-source userland rootkit, a type of software that exists in the user space of an operating system where it is able to hide its activities. The second backdoor, FireWood, is connected to a backdoor tracked by ESET researchers under the name Project Wood. ESET traced it back to 2005 and observed it evolving into more sophisticated versions, the backdoor was used previously in in Operation TooHash. The archives ESET analysed also contain several additional tools - mostly webshells - that permit remote control by an attacker once they are installed on a compromised server, and simple utility tools.
For a more detailed analysis and technical breakdown of Gelsemium’s latest toolset, check out the latest ESET Research blogpost “Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
WolfsBane execution chain
About ESET
ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyberthreats — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com/uk or follow us on LinkedIn, Facebook, and X.