Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 13:46:15 UTC
 APT group: Gelsemium
Names Gelsemium (ESET)
Country China
Motivation Information theft and espionage
First seen 2014
Description
(ESET) The Gelsemium group has been active since at least 2014 and was described in the past by a few security compan
name comes from one possible translation we found while reading a report from VenusTech who dubbed the group 狼毒草
time .It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the specie
toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which we chose as names for the three components of this
Observed
Sectors: Education, Gaming, Government, High-Tech, NGOs and religious organizations.
Countries: Argentina, Brunei, China, Djibouti, Egypt, Equatorial Guinea, Hong Kong, Indonesia, Iran, Iraq, Israel, Japan,
Laos, Lebanon, Malaysia, Mongolia, Nigeria, North Korea, Oman, Pakistan, Russia, Saudi Arabia, South Korea, Sri Lank
Syria, Taiwan, Thailand, Turkey, UAE, UK, Vietnam, Yemen.
Tools used
ASPXSpy, BadPotato, China Chopper, Chrommme, EarthWorm, Cobalt Strike, FireWood, Gelsemine, Gelsenicine, Gelse
JuicyPotato, Owowa, OwlProxy, reGeorg, SessionManager, SpoolFool, SweetPotato, WolfsBane.
Operations performed
2014
Operation “TooHash”
Mid 2022
Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Gov
2023
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine
Last change to this card: 26 December 2024
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=80d60b05-bf0a-4630-afa8-666fa6f72147
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=80d60b05-bf0a-4630-afa8-666fa6f72147
Page 1 of 1