{ "id": "8ca34d23-71a9-45e9-a9d5-0fea45b4d697", "created_at": "2026-04-06T00:16:25.586497Z", "updated_at": "2026-04-10T03:27:16.225644Z", "deleted_at": null, "sha1_hash": "17c0e17f93b21eba5aed2bc3d82fd13e8cfec4ac", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 68628, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:46:15 UTC\n APT group: Gelsemium\nNames Gelsemium (ESET)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2014\nDescription\n(ESET) The Gelsemium group has been active since at least 2014 and was described in the past by a few security compan\nname comes from one possible translation we found while reading a report from VenusTech who dubbed the group 狼毒草\ntime .It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the specie\ntoxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which we chose as names for the three components of this\nObserved\nSectors: Education, Gaming, Government, High-Tech, NGOs and religious organizations.\nCountries: Argentina, Brunei, China, Djibouti, Egypt, Equatorial Guinea, Hong Kong, Indonesia, Iran, Iraq, Israel, Japan,\nLaos, Lebanon, Malaysia, Mongolia, Nigeria, North Korea, Oman, Pakistan, Russia, Saudi Arabia, South Korea, Sri Lank\nSyria, Taiwan, Thailand, Turkey, UAE, UK, Vietnam, Yemen.\nTools used\nASPXSpy, BadPotato, China Chopper, Chrommme, EarthWorm, Cobalt Strike, FireWood, Gelsemine, Gelsenicine, Gelse\nJuicyPotato, Owowa, OwlProxy, reGeorg, SessionManager, SpoolFool, SweetPotato, WolfsBane.\nOperations performed\n2014\nOperation “TooHash”\nMid 2022\nRare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Gov\n2023\nUnveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine\nLast change to this card: 26 December 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=80d60b05-bf0a-4630-afa8-666fa6f72147\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=80d60b05-bf0a-4630-afa8-666fa6f72147\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=80d60b05-bf0a-4630-afa8-666fa6f72147" ], "report_names": [ "showcard.cgi?u=80d60b05-bf0a-4630-afa8-666fa6f72147" ], "threat_actors": [ { "id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424", "created_at": "2023-01-06T13:46:39.290101Z", "updated_at": "2026-04-10T02:00:03.275981Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "狼毒草" ], "source_name": "MISPGALAXY:Gelsemium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77874718-7ad2-4d15-9831-10935ab9bcbe", "created_at": "2022-10-25T15:50:23.619911Z", "updated_at": "2026-04-10T02:00:05.349462Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Gelsemium" ], "source_name": "MITRE:Gelsemium", "tools": [ "Gelsemium", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434585, "ts_updated_at": 1775791636, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/17c0e17f93b21eba5aed2bc3d82fd13e8cfec4ac.pdf", "text": "https://archive.orkl.eu/17c0e17f93b21eba5aed2bc3d82fd13e8cfec4ac.txt", "img": "https://archive.orkl.eu/17c0e17f93b21eba5aed2bc3d82fd13e8cfec4ac.jpg" } }