{ "id": "d1007958-af65-4275-8b40-337c0d0c752c", "created_at": "2026-04-06T00:12:12.10929Z", "updated_at": "2026-04-10T13:12:24.625485Z", "deleted_at": null, "sha1_hash": "639f89c875e141c4558c8c0f84620f460e5894d9", "title": "Threat Bulletin: Fire in the Woods – A New Variant of FireWood", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 903937, "plain_text": "Threat Bulletin: Fire in the Woods – A New Variant of FireWood\r\nBy Nicole Fishbein\r\nPublished: 2025-08-13 · Archived: 2026-04-05 22:55:16 UTC\r\nA new and low-detected variant of the FireWood backdoor was discovered by Intezer’s Research Team, with some\r\nchanges in the implementation and the configuration of the backdoor.\r\nFireWood is a Linux backdoor discovered by ESET’s research team. They linked it to the long‑running “Project\r\nWood” malware lineage, which dates back to at least 2005 and includes usage in the earlier Operation TooHash\r\ncampaign. It functions as a remote access trojan (RAT) on Linux systems, employing kernel‑level rootkit modules\r\n(e.g., usbdev.ko) and TEA‑based encryption to hide its presence, maintain persistence, and communicate covertly\r\nwith its command‑and‑control infrastructure. Once deployed, likely via web shells left on compromised Linux\r\ndesktops, it enables attackers to execute commands, exfiltrate sensitive data such as system information and\r\ncredentials, and operate stealthily over prolonged espionage operations. The backdoor has low confidence\r\nconnections to the China-aligned Gelsemium APT group, as the overlaps may be coincidental or reflect shared\r\ntools across multiple groups. \r\nWe found a new and low-detected variant of the FireWood backdoor. The core functionality of the backdoor\r\nremains the same but we did notice some changes in the implementation and the configuration of the backdoor. It\r\nis unclear if the kernel module was also updated as we were not able to collect it.\r\nCode analysis of the new version in Intezer.\r\nSHA256: 898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6\r\nTechnical Analysis of New Firewood Variant\r\nhttps://intezer.com/blog/threat-bulletin-firewood/\r\nPage 1 of 4\n\nIn the older variant, execution began with an explicit permission gate, calling CUser::IsSuc() , and the process\r\nwould exit if this check failed. In the newer build, that early check is removed entirely. The new version defers\r\nany root‑or‑kernel gating until after it daemonizes and saves its PID. To achieve this, the code splits the former\r\nSavePidAndCheckKernel() helper into two discrete steps: an early SavePid(pid) , followed later by\r\nCModuleControl::AutoLoad() and CheckLkmLoad() . This separation clarifies the startup sequence and enhances\r\nthe hide‑via‑kernel‑module logic. Additionally, rather than simply sending a stripped‑down identifier, the updated\r\nversion builds a larger buffer containing the process name, hex‑formatted port, PID, a hardcoded “kde‑tra” process\r\nname, and a configurable flag (or the literal “nothing”). That extra metadata is passed through\r\nCHideProcess::NetLinkInit() , CHideProcess::SendProcessName(\u0026CHideProcess::mInstance) , and\r\nCHideProcess::Destroy() .\r\nNote the typo in the method name “Destroy”, this error also appears in the older Firewood variant. Another typo\r\npersists in both versions in the following error message: “Get Memory Faile”.\r\nNew evasion implementation and comparison of main functions\r\nOn the networking side, the older version read configuration settings that defined both the number of days\r\nbetween beaconing and a delayTime specifying the interval between packets. It also used a randomized\r\ntime‑window algorithm to stagger connections. The new build collapses all of this into a straightforward while\r\n(true) loop. After waiting for the configured startup delay, it continuously calls ConnectToSvr() , sleeping\r\nbriefly on failure, until success or until the overall timer expires, then cleans up and exits. By removing the\r\nmulti‑stage scheduling and random timing logic, the connection routine becomes more predictable and\r\nmaintainable, trading temporal obfuscation for reliable C2 reachability.\r\nOverall, the communication protocol and C2 setup remain the same; the only significant change is that the new\r\nversion no longer relies on timeouts from the configuration.\r\nBoth Firewood versions collect information about the user and the infected machine. The new variant adds a\r\nfallback for OS detection: whereas the older version reads distribution data from /etc/issue , the new version\r\nfalls back to /etc/issue.net if /etc/issue is unavailable, parsing the data in the same way.\r\nThe backdoor defines file paths used by both itself and its kernel module. The new variant sets paths for root users\r\nas:\r\nhttps://intezer.com/blog/threat-bulletin-firewood/\r\nPage 2 of 4\n\n/usr/lib/.kde-root/\r\n/usr/lib/.kde-root/lib/\r\n/usr/lib/.kde-root/data/\r\n/usr/lib/.kde-root/kdeinit\r\n/usr/lib/.kde-root/pid\r\n/etc/init.d/rc.local\r\nFor non-root users, it uses:\r\n$HOME/.kde-root/\r\n$HOME/.kde-root/lib/\r\n$HOME/.kde-root/data/\r\n$HOME/.kde-root/kdeinit\r\n$HOME/.kde-root/pid\r\n$HOME/.bashrc\r\nBy contrast, the older variant for root users used:\r\n/etc/init.d/rc.local\r\n/etc/rc.d/rc.local\r\n/etc/init.d/boot.local\r\nAnd for non-root users:\r\n$HOME/.bashrc\r\nThe FireWood backdoor supports a number of commands documented by ESET. The new variant removes some\r\ncommands and adds others. It drops commands for changing beacon intervals and delay times (command IDs\r\n0x111, 0x113, 0x114), as these settings are no longer used. It also removes the file-read command (ID 0x201). The\r\nprocess‑hiding command has moved to ID 0x202 (from 0x112), and the HideModule function was removed. A\r\nnew command ( SetAutoKillEl , ID 0x160) toggles or sets an “auto‑kill” feature in the agent.\r\nhttps://intezer.com/blog/threat-bulletin-firewood/\r\nPage 3 of 4\n\nBesides these commands, there are also three commands that appear in both versions and were not previously\r\ndocumented:\r\nCommand id 0x109: A command that indicates a change in the connection configuration.\r\nCommand id 0x192: Gets a file from the C2 and execute it using the system function. Unlike the\r\npreviously documented command id 0x185, this command calls first ‘CFileControl::FileUp’ to receive the\r\nfile from the C2.\r\nCommand id 0x195: Exfiltration of files with the following extensions: v2, .k2, .W2, and drive.C2.\r\nWe also located an older sample submitted to VirusTotal from Iran on February 5, 2025:\r\n4c293309a7541edb89e3ec99c4074584328a21309e75a46d0ddb4373652ee0d6\r\nAdditionally, we found a sample from the Philippines submitted on May 7, 2022; its code is identical to the one\r\nwe analyzed:\r\nd7be3494b3e1722eb28f317f3b85ee68bf7ea5508aa2d5782392619e078b78af\r\nIOCs\r\nNew Firewood Version\r\n898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6\r\nd7be3494b3e1722eb28f317f3b85ee68bf7ea5508aa2d5782392619e078b78af\r\nOld Firewood Version\r\ncff20753e36a4c942dc4dab5a91fd621a42330e17a89185a5b7262280bcd9263\r\n4c293309a7541edb89e3ec99c4074584328a21309e75a46d0ddb4373652ee0d6\r\nSource: https://intezer.com/blog/threat-bulletin-firewood/\r\nhttps://intezer.com/blog/threat-bulletin-firewood/\r\nPage 4 of 4\n\nThe FireWood commands and backdoor supports adds others. It a number of drops commands commands documented for changing beacon by ESET. intervals and The new variant delay times (command removes IDs some\n0x111, 0x113, 0x114), as these settings are no longer used. It also removes the file-read command (ID 0x201). The\nprocess‑ hiding command has moved to ID 0x202 (from 0x112), and the HideModule function was removed. A\nnew command ( SetAutoKillEl , ID 0x160) toggles or sets an “auto‑ kill” feature in the agent. \n Page 3 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://intezer.com/blog/threat-bulletin-firewood/" ], "report_names": [ "threat-bulletin-firewood" ], "threat_actors": [ { "id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424", "created_at": "2023-01-06T13:46:39.290101Z", "updated_at": "2026-04-10T02:00:03.275981Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "狼毒草" ], "source_name": "MISPGALAXY:Gelsemium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77874718-7ad2-4d15-9831-10935ab9bcbe", "created_at": "2022-10-25T15:50:23.619911Z", "updated_at": "2026-04-10T02:00:05.349462Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Gelsemium" ], "source_name": "MITRE:Gelsemium", "tools": [ "Gelsemium", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434332, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/639f89c875e141c4558c8c0f84620f460e5894d9.pdf", "text": "https://archive.orkl.eu/639f89c875e141c4558c8c0f84620f460e5894d9.txt", "img": "https://archive.orkl.eu/639f89c875e141c4558c8c0f84620f460e5894d9.jpg" } }