The Chinese advanced persistent threat (APT) group Gelsemium has expanded its arsenal by deploying WolfsBane, a Linux-based backdoor, in targeted cyberespionage campaigns. This represents the group’s first confirmed use of Linux malware and signals a strategic shift towards diversifying its attack capabilities. According to cybersecurity firm ESET, the malware was detected in March 2023 through VirusTotal submissions from Taiwan, the Philippines, and Singapore, suggesting its likely focus on East and Southeast Asia.
WolfsBane is a Linux adaptation of Gelsevirine, a backdoor Gelsemium has used on Windows systems since at least 2014. The backdoor is designed for long-term persistence, allowing attackers to execute commands and gather sensitive data such as system information, user credentials, and specific files. It employs a modified open-source BEURK userland rootkit to hide its activities, enabling stealthy command execution from an attacker-controlled server. This level of sophistication highlights Gelsemium’s intent to remain undetected while conducting prolonged intelligence-gathering operations.
ESET also discovered another malware implant named FireWood, linked to a separate framework known as Project Wood. While FireWood has been tentatively attributed to Gelsemium, researchers acknowledge the possibility of its use by other China-aligned threat actors. FireWood features advanced cloaking mechanisms, including a kernel driver module called usbdev.ko, which conceals its processes while facilitating command execution. Both tools underline the group’s evolving tactics and its focus on bypassing modern detection technologies.
The transition to targeting Linux systems reflects a broader trend among APT groups as they adapt to heightened security measures in email and endpoint defenses. The growing adoption of Endpoint Detection and Response (EDR) solutions and the disabling of VBA macros by default in Microsoft Office are forcing threat actors to explore alternative attack vectors. Gelsemium’s use of WolfsBane and FireWood underscores the increasing importance of securing Linux environments, which are becoming a critical frontier in cyberespionage.
