{ "id": "6f290f4a-221a-4ad6-b39f-58aaecffb8a0", "created_at": "2026-04-06T00:19:48.49962Z", "updated_at": "2026-04-10T03:27:16.181429Z", "deleted_at": null, "sha1_hash": "57a55b597baf196da4dad97da2f09f00da989f6d", "title": "Gelsemium: When threat actors go gardening", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 712828, "plain_text": "Gelsemium: When threat actors go gardening\r\nBy Matthieu FaouThomas Dupuy\r\nArchived: 2026-04-05 17:49:22 UTC\r\nESET Research\r\nESET researchers shed light on new campaigns from the quiet Gelsemium group\r\n09 Jun 2021  •  , 4 min. read\r\nIn mid-2020, ESET researchers started to analyze multiple campaigns, later attributed to the Gelsemium group,\r\nand tracked down the earliest version of the malware going back to 2014. Victims of these campaigns are located\r\nin East Asia as well as the Middle East and include governments, religious organizations, electronics\r\nmanufacturers and universities.\r\nKey points in this report:\r\nESET researchers believe that Gelsemium is behind the supply-chain attack against BigNox that was\r\npreviously reported as Operation NightScout\r\nESET researchers found a new version of Gelsemium, complex and modular malware, later referred to as\r\nGelsemine, Gelsenicine and Gelsevirine\r\nNew targets were discovered that include governments, universities, electronics manufacturers and\r\nreligious organizations in East Asia and the Middle East\r\nGelsemium is a cyberespionage group active since 2014\r\nhttps://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/\r\nPage 1 of 6\n\nThe geographical distribution of Gelsemium’s targets can be seen in Figure 1.\r\nFigure 1. Targets’ locations\r\nGelsemium components\r\nGelsemium’s whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each\r\nstage, modify on-the-fly settings for the final payload, making it harder to understand. Behaviors analyzed below\r\nare tied to the configuration; as a result, filenames and paths may be different in other samples. Most of the\r\ncampaigns we observed follow what we describe here.\r\nhttps://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/\r\nPage 2 of 6\n\nFigure 2. Overview of the three components’ workflow\r\nGelsemine: The dropper\r\nGelsemium’s first stage is a large dropper written in C++ using the Microsoft Foundation Class library (MFC).\r\nThis stage contains multiple further stages’ binaries. Dropper sizes range from about 400 kB to 700 kB, which is\r\nunusual and would be even larger if the eight embedded executables were not compressed. The developers use the\r\nzlib library, statically linked, to greatly reduce the overall size. Behind this oversized executable is hidden a\r\ncomplex yet flexible mechanism that is able to drop different stages according to the characteristics of the victim\r\ncomputer, such as bitness (32-bit vs. 64-bit) or privilege (standard user vs. administrator). Almost all stages are\r\ncompressed, located in the resource section of the PE and mapped into the same component’s memory address\r\nspace. Figure 3 illustrates all stages in the Gelsemine component.\r\nhttps://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/\r\nPage 3 of 6\n\nFigure 3. Gelsemine address space overview\r\nGelsenicine: The loader\r\nGelsenicine is a loader that retrieves Gelsevirine and executes it. There are two different versions of the loader –\r\nboth of them are DLLs; however, they differ in the context where Gelsemine is executed.\r\nFor victims with administrator privileges, Gelsemine drops Gelsenicine at\r\nC:\\Windows\\System32\\spool\\prtprocs\\x64\\winprint.dll (user-mode DLL for print processor) that is then\r\nhttps://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/\r\nPage 4 of 6\n\nautomatically loaded by the spoolsv Windows service. To write a file under the %WINDIR%/system32 directory,\r\nadministrator privileges are mandatory; hence the requirement previously mentioned.\r\nUsers with standard privileges compromised by Gelsemine drop Gelsenicine under a different directory that does\r\nnot require administrator privileges. The DLL chrome_elf.dll is dropped under\r\n%CommonAppData%/Google/Chrome/Application/Library/.\r\nGelsevirine: The main plug-in\r\nGelsevirine is the last stage of the chain and it is called MainPlugin by its developers, according to the DLL name\r\nand also PDB path found in old samples (Z:\\z_code\\Q1\\Client\\Win32\\Release\\MainPlugin.pdb). It’s also worth\r\nmentioning that if defenders manage to obtain this last stage alone, it won’t run flawlessly since it requires its\r\narguments to have been set up by Gelsenicine.\r\nThe config used by Gelsenicine contains a field named controller_version that we believe is the versioning used\r\nby the operators for this main plug-in. Figure 4 provides a timeline of the different versions we have observed in\r\nthe wild; the dates are approximate.\r\nFigure 4. Gelsevirine version timeline\r\nAdditional links/tools\r\nDuring our investigation we encountered some interesting malware described in the following sections.\r\nOperation NightScout (BigNox): In January 2021, another ESET researcher analyzed and wrote an article\r\nabout Operation NightScout; a supply-chain attack compromising the update mechanism of NoxPlayer, an\r\nAndroid emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users\r\nworldwide. The investigation uncovered some overlap between this supply-chain attack and the\r\nGelsemium group. Victims originally compromised by that supply-chain attack were later being\r\ncompromised by Gelsemine. Among the different variants examined, “variant 2” from that article shows\r\nsimilarities with Gelsemium malware.\r\nOwlProxy: This module also comes in two variants – 32- and 64-bit versions – and as a result it contains a\r\nfunction to test the Windows version the same as in the Gelsemium components.\r\nChrommme: Chrommme is a backdoor we found during our adventures in the Gelsemium ecosystem.\r\nCode similarities with Gelsemium components are almost nonexistent but small indicators were found\r\nduring the analysis that lead us to believe that it’s somehow related to the group. The same C\u0026C server\r\nwas found in both Gelsevirine and Chrommme, both are using two C\u0026C servers. Chrommme was found on\r\nan organization’s machine also compromised by Gelsemium group.\r\nhttps://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/\r\nPage 5 of 6\n\nConclusion\r\nThe Gelsemium biome is very interesting: it shows few victims (according to our telemetry) with a vast number of\r\nadaptable components. The plug-in system shows that its developers have deep C++ knowledge. Small similarities\r\nwith known malware tools shed light on interesting, possible overlaps with other groups and past activities. We\r\nhope that this research will drive other researchers to publish about the group and reveal more roots related to this\r\nmalware biosphere.\r\nA full and comprehensive list of Indicators of Compromise (IoCs) and samples can be found in the full white\r\npaper and in our GitHub repository.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at\r\nthreatintel@eset.com.\r\nTo learn more about how threat intelligence services can enhance the cybersecurity posture of your\r\norganization, visit the ESET Threat Intelligence page.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/\r\nhttps://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/" ], "report_names": [ "gelsemium-when-threat-actors-go-gardening" ], "threat_actors": [ { "id": "068b67c8-604c-4272-b808-350413fa9ee3", "created_at": "2022-10-25T16:07:23.975708Z", "updated_at": "2026-04-10T02:00:04.816253Z", "deleted_at": null, "main_name": "Operation NightScout", "aliases": [], "source_name": "ETDA:Operation NightScout", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424", "created_at": "2023-01-06T13:46:39.290101Z", "updated_at": "2026-04-10T02:00:03.275981Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "狼毒草" ], "source_name": "MISPGALAXY:Gelsemium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77874718-7ad2-4d15-9831-10935ab9bcbe", "created_at": "2022-10-25T15:50:23.619911Z", "updated_at": "2026-04-10T02:00:05.349462Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Gelsemium" ], "source_name": "MITRE:Gelsemium", "tools": [ "Gelsemium", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434788, "ts_updated_at": 1775791636, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/57a55b597baf196da4dad97da2f09f00da989f6d.pdf", "text": "https://archive.orkl.eu/57a55b597baf196da4dad97da2f09f00da989f6d.txt", "img": "https://archive.orkl.eu/57a55b597baf196da4dad97da2f09f00da989f6d.jpg" } }