{ "id": "d5f4dfb3-903b-4805-9863-3250600924bd", "created_at": "2026-04-06T00:15:02.254263Z", "updated_at": "2026-04-10T03:27:16.165339Z", "deleted_at": null, "sha1_hash": "ad6740045c5dc9af006d2517ce6f8b17bda5a79d", "title": "Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 675528, "plain_text": "Unveiling WolfsBane: Gelsemium’s Linux counterpart to\r\nGelsevirine\r\nBy Viktor Šperka\r\nArchived: 2026-04-05 15:00:59 UTC\r\nESET researchers have identified multiple samples of Linux backdoor, which we have named WolfsBane, that we\r\nattribute with high confidence to the Gelsemium advanced persistent threat (APT) group. This China-aligned\r\nthreat actor has a known history dating back to 2014 and until now, there have been no public reports of\r\nGelsemium using Linux malware. Additionally, we discovered another Linux backdoor, which we named\r\nFireWood. However, we cannot definitively link FireWood to other Gelsemium tools, and its presence in the\r\nanalyzed archives might be coincidental. Thus, we attribute FireWood to Gelsemium with low confidence,\r\nconsidering it could be a tool shared among multiple China-aligned APT groups.\r\nThe most notable samples we found in archives uploaded to VirusTotal are two backdoors resembling known\r\nWindows malware used by Gelsemium. WolfsBane is the Linux counterpart of Gelsevirine, while FireWood is\r\nconnected to Project Wood. We also discovered other tools potentially related to Gelsemium’s activities. The goal\r\nof the backdoors and tools discovered is cyberespionage targeting sensitive data such as system information, user\r\ncredentials, and specific files and directories. These tools are designed to maintain persistent access and execute\r\ncommands stealthily, enabling prolonged intelligence gathering while evading detection.\r\nThe trend of APT groups focusing on Linux malware is becoming more noticeable. We believe this shift is due to\r\nimprovements in Windows email and endpoint security, such as the widespread use of endpoint detection and\r\nresponse (EDR) tools and Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default.\r\nConsequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities\r\nin internet-facing systems, most of which run on Linux.\r\nIn this blogpost, we provide technical analysis of the Linux malware, mainly focusing on the two different\r\nbackdoors.\r\nKey points of the blogpost:\r\nESET researchers found archives with multiple Linux samples, containing two previously\r\nunknown backdoors.\r\nThe first backdoor, WolfsBane, is a Linux version of Gelsevirine, a Windows backdoor used by\r\nGelsemium.\r\nIts dropper is the equivalent of the Gelsemine dropper, and features a hider based on an open-source userland rootkit.\r\nThe second backdoor, which we have named FireWood, is connected to Project Wood. The\r\nWindows version of the Project Wood backdoor was previously used by the Gelsemium group in\r\nOperation TooHash.\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 1 of 16\n\nAlongside the backdoors, we found additional tools, mainly web shells based on publicly\r\navailable code.\r\nOverview\r\nIn 2023, we found these samples in archives uploaded to VirusTotal from Taiwan, the Philippines, and Singapore,\r\nprobably originating from an incident response on a compromised server. Gelsemium has previously targeted\r\nentities in Eastern Asia and the Middle East.\r\nThe first backdoor is a part of a simple loading chain consisting of the dropper, launcher, and backdoor. We named\r\nthis malware WolfsBane. As explained in the Attribution and connection and Technical analysis sections,\r\nWolfsBane is a Linux equivalent of Gelsemium’s Gelsevirine backdoor and the WolfsBane dropper is analogous\r\nto the Gelsemine dropper. Our name for Gelsemium comes from one possible translation of the name we found in\r\nthe report from VenusTech, who dubbed the group 狼毒草. It’s the name of a genus of flowering plants in the\r\nfamily Gelsemiaceae, and Gelsemium elegans is the species that contains toxic compounds like Gelsemine,\r\nGelsenicine, and Gelsevirine, which we chose as names for the three components of this malware family. We\r\npreviously analyzed Gelsevirine and Gelsemine in this white paper. Part of the analyzed WolfsBane attack chain is\r\nalso a modified open-source userland rootkit, a type of software that exists in the user space of an operating\r\nsystem and hides its activities.\r\nThe second backdoor, which we named FireWood, is connected to a backdoor tracked by ESET researchers under\r\nthe name Project Wood, previously analyzed in the Project Wood section of this blogpost. We have traced it back\r\nto 2005 and observed it evolving into more sophisticated versions.\r\nThe archives we analyzed also contain several additional tools, mostly webshells, that allow remote control to a\r\nuser once they are installed on a compromised server, and simple utility tools.\r\nAttribution and connection\r\nIn this section, we explain the similarities that led us to attribute the WolfsBane malware to the Gelsemium APT\r\ngroup and establish a connection between the FireWood backdoor and the Project Wood malware.\r\nWolfsBane links to Windows Gelsevirine\r\nBased on the following similarities, we assess that the WolfsBane backdoor is the Linux version of Gelsevirine.\r\nTherefore, we attribute WolfsBane to the Gelsemium APT group with high confidence:\r\nCustom libraries for network communication: Both the Linux and Windows versions load an embedded\r\ncustom library for network communication, with a different library for each communication protocol used.\r\nThe backdoor accesses the library’s functions by calling its create_seesion export/symbol; notably, the typo\r\nseesion is the same in both versions (as shown in Figure 1).\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 2 of 16\n\nFigure 1. Accessing the create_seesion export in Linux (left) and Windows (right) versions of\r\nbackdoor\r\nCommand execution mechanism: Both versions use the same mechanism for executing commands\r\nreceived from the C\u0026C server. The backdoor creates a table with hashes (derived from the command\r\nname) and corresponding pointers to functions that handle those commands (Figure 2). We provide more\r\ndetails in the Technical analysis section.\r\nFigure 2. Comparison of plugin command names found in the Linux Wolfsbane (left) and Windows\r\nGelsevirine (right) backdoors\r\nConfiguration structure: Both backdoors use a very similar configuration structure. While the Linux\r\nversion has some omitted fields and some extra ones, most of the field names are consistent. For example,\r\nthe value of pluginkey found in the configuration is the same as in all Windows Gelsevirine samples from\r\n2019. Additionally, the controller_version values in the Linux version configuration match those in the\r\nGelsevirine samples.\r\nDomain Usage: The domain dsdsei[.]com, used by the Linux version, was previously flagged by ESET\r\nresearchers as an indicator of compromise (IoC) associated with the Gelsemium APT group.\r\nFireWood connection to Project Wood\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 3 of 16\n\nWe have found code similarities between the FireWood sample and the backdoor used in Operation TooHash\r\n(SHA-1: ED5342D9788392C6E854AAEFA655C4D3B4831B6B), as described by G DATA, who consider it to be\r\na part of the DirectsX rootkit. ESET researchers later named this backdoor Project Wood. Those similarities\r\ninclude:\r\nNaming conventions: Both use the \"Wood\" string in naming. For example, the FireWood backdoor\r\nconfiguration structure is referenced by the symbol WoodConf, and Win32 versions use the mutex name\r\nIMPROVING CLIENT Want Wood To Exit?.\r\nFile extensions: Both samples share specific filename extensions such as .k2 and .v2.\r\nTEA encryption algorithm: The implementation of the TEA encryption algorithm with a variable number\r\nof rounds is the same in both samples.\r\nC\u0026C communication strings: Both samples use the same strings in the code responsible for C\u0026C\r\ncommunications, XORed with the same single-byte key (0x26).\r\nNetworking code: The networking code in both samples is very similar.\r\nBased on these findings, we assess with high confidence that the FireWood backdoor is the Linux continuation of\r\nthe Project Wood backdoor. A connection between the FireWood backdoor to other Gelsemium tools cannot be\r\nproved and its presence in the archives analyzed could be coincidental. So, we make our attribution to Gelsemium\r\nonly with low confidence and acknowledge the possibility that it is a tool shared by multiple Chinese APT groups,\r\nperhaps through a common digital quartermaster as we have seen with other China-aligned groups.\r\nTechnical analysis\r\nThe first archive was uploaded to VirusTotal on March 6th, 2023, from Taiwan. Subsequent archives were\r\nuploaded also from the Philippines and Singapore. Based on the folder structure (Figure 3), the target was\r\nprobably an Apache Tomcat webserver running an unidentified Java web application.\r\nFigure 3. Example of archive structure\r\nInitial access\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 4 of 16\n\nAlthough we lack concrete evidence regarding the initial access vector, the presence of multiple webshells (as\r\nshown in Table 1 and described in the Webshells section) and the tactics, techniques, and procedures (TTPs) used\r\nby the Gelsemium APT group in recent years, we conclude with medium confidence that the attackers exploited\r\nan unknown web application vulnerability to gain server access.\r\nTable 1. Webshells found in analyzed archives\r\nSHA-1 Filename Description\r\n238C8E8EB7A732D85D8A7F7CA40B261D8AE4183D login.jsp Modified AntSword JSP webshell.\r\n9F7790524BD759373AB57EE2AAFA6F5D8BCB918A yy1.jsp icesword webshell.\r\nFD601A54BC622C041DF0242662964A7ED31C6B9C a.jsp Obfuscated JSP webshell.\r\nToolset\r\nWolfsBane\r\nWolfsBane components and chain of execution are depicted in Figure 4.\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 5 of 16\n\nFigure 4. WolfsBane execution chain\r\nStage 1: WolfsBane dropper\r\nThe dropper for WolfsBane was found in a file named cron, mimicking the legitimate command scheduling tool.\r\nUpon execution, it first places the launcher and the primary backdoor in the $HOME/.Xl1 hidden directory (note\r\nthe use of the letter l), created by the dropper. The directory is most likely deliberately named to resemble X11 – a\r\ncommonly used folder name in the X Window System.\r\nThe dropper then establishes persistence based on the system’s configuration and execution context:\r\nIf executed as root:\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 6 of 16\n\nChecks for the presence of the systemd suite.\r\nIf systemd is present, writes the file /lib/systemd/system/display-managerd.service with the path to the next\r\nstage (WolfsBane launcher) as the ExecStart entry (see Figure 5). This ensures the launcher runs as a\r\nsystem service, because .service files in this folder are parsed during system startup.\r\nDisables the SELinux  security module by changing the SELINUX entry in the SELinux configuration file\r\nfrom enforcing to disabled.\r\n[Unit]\r\nDescription=Display-Manager\r\n[Service]\r\nType=simple\r\nExecStart=\u003cPATH_TO_LAUNCHER_EXECUTABLE\u003e\r\n[Install]\r\nWantedBy=multi-user.targetComment\r\nFigure 5. Content of the display-managerd.service file\r\nIf systemd is not present, the dropper writes a simple bash script that executes the launcher (Figure 6), to a file\r\nnamed S60dlump into all rc[1-5].d startup folders.\r\n#!/bin/bash\r\n/usr/bin/.Xl1/kde\r\nFigure 6. Script executing WolfsBane launcher\r\nIf executed as an unprivileged user on a Debian-based system, it:\r\nwrites a similar bash script to the profile.sh file, and\r\nadds the command /home/www/.profile.sh 2\u003e/dev/null to .bashrc and .profile files in the user’s home\r\nfolder, ensuring that the Wolfsbane launcher starts automatically after the victim logs in.\r\nFor other Linux distributions it creates the same profile.sh file but adds its path only to .bashrc.\r\nAdditionally, if the dropper is executed with root privileges, it drops the WolfsBane Hider rootkit as\r\n/usr/lib/libselinux.so and adds this command to /etc/ld.so.preload, ensuring that the rootkit library loads into all\r\nprocesses.\r\nFinally, the dropper removes itself from the disk and executes the next stage – the launcher.\r\nStage 2: WolfsBane launcher\r\nA small binary named kde is used to maintain persistence, cleverly disguised as a legitimate KDE desktop\r\ncomponent to avoid detection and maintain persistence. Regardless of establishment method, the aim is to execute\r\nthis binary, whose main function is to parse its embedded configuration and initiate the next stage – the WolfsBane\r\nbackdoor – from the specified file in the configuration.\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 7 of 16\n\nStage 3: WolfsBane backdoor\r\nThe WolfsBane backdoor, stored in a file named udevd, begins by loading an embedded library and calling its\r\nmain_session export, which contains the main backdoor functionalities. This library, named by its authors as\r\nlibMainPlugin.so, is analogous to the MainPlugin.dll used in the Windows version of the Gelsevirine backdoor.\r\nSimilar to its Windows version, the WolfsBane backdoor uses other embedded libraries for network\r\ncommunication. In the samples we’ve collected, they are named libUdp.so and libHttps.so, and both export the\r\nsymbol create_seesion (the spelling mistake is exactly the same as in the Windows version of the Gelsevirine TCP\r\nmodule). These shared libraries provide C\u0026C communications via UDP and HTTPS protocols, respectively.\r\nThe backdoor encrypts the libMainPlugin.so library using the RC4 algorithm (with the key obtained from the\r\npluginkey value in the configuration) and saves it to \u003cwork_directory\u003e/X1l/data/gphoto2. On subsequent\r\nexecutions, the backdoor first checks for this file: if it exists, the file is decrypted and loaded instead of the\r\nembedded libMainPlugin.so. This mechanism allows the backdoor to be updated by overwriting the file.\r\nThe WolfsBane backdoor uses a similar approach to its Windows counterpart for executing commands received\r\nfrom its C\u0026C server.\r\nWolfsBane Hider rootkit\r\nWolfsBane backdoor uses a modified open-source BEURK userland rootkit to hide its activities. Located in\r\n/usr/lib/libselinux.so, this rootkit abuses the operating system’s preload mechanism to load into new processes\r\nbefore other libraries by adding its path to the /etc/ld.so.preload file, thus enabling its functions to hook the\r\noriginal ones.\r\nThe WolfsBane Hider rootkit hooks many basic standard C library functions such as open, stat, readdir, and\r\naccess. While these hooked functions invoke the original ones, they filter out any results related to the WolfsBane\r\nmalware. Unlike the original BEURK rootkit, which uses an embedded configuration file for filtering, the\r\nWolfsBane developers retained the default configuration but modified the source code to exclude information\r\nrelated to the hardcoded filenames of the malware executables udevd and kde. Additionally, the original BEURK\r\nrootkit’s network traffic-hiding features are absent.\r\nFireWood backdoor\r\nThe FireWood backdoor, in a file named dbus, is the Linux OS continuation of the Project Wood malware, as\r\nnoted in the Attribution and connection section. The analyzed code suggests that the file usbdev.ko is a kernel\r\ndriver module working as a rootkit to hide processes. The FireWood backdoor communicates with the kernel\r\ndrivers using the Netlink protocol.\r\nFireWood uses a configuration file named kdeinit that is XOR encrypted with the single-byte key 0x26. The\r\nconfiguration file’s structure is detailed in Table 2.\r\nTable 2. Selected offsets and their corresponding values from the FireWood backdoor configuration file\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 8 of 16\n\nOffset Value Meaning\r\n0x00 20190531110402 Unknown timestamp.\r\n0x28 AAAAAAAAAA Placeholder for backdoor working directory.\r\n0x3C 0.0.0.0 C\u0026C IP address (if 0.0.0.0, the backdoor uses the C\u0026C domain).\r\n0x66 asidomain[.]com C\u0026C domain.\r\n0xCC [scsi_eh_7] Spoofed process name.\r\n0x164 0x072BA1E6 TEA encryption key.\r\n0x1E0 4 Connection day (backdoor connects every fourth day of the month).\r\n0x1E4 5 Delay time.\r\n0x1E8 0x0474 Connection time (in minutes).\r\nFireWood renames its process based on the value in the configuration.\r\nTo establish persistence on the system, it creates a file named /.config/autostart/gnome-control.desktop. During\r\nstartup, all files with a .desktop extension in the /.config/autostart/ directory are parsed, and any commands listed\r\nin the Exec entry are executed. The contents of the gnome-control.desktop file can be seen in Figure 7.\r\n[Desktop Entry]\r\nType=Application\r\nExec=\u003cPATH/TO/OWN/EXECUTABLE\u003e\r\nHidden=false\r\nNoDisplay=false\r\nX-GNOME-Autostart-enabled=true\r\nName[en_US]=gnome-calculator\r\nName=gnome-control\r\nComment[en_US]=\r\nFigure 7. Contents of the gnome-control.desktop file used for persistence by the FireWood backdoor\r\nFireWood communicates with its C\u0026C server via TCP, as specified in its configuration. All data is encrypted using\r\nthe TEA encryption algorithm with a variable number of rounds. The encryption key and number of rounds are\r\nprovided in the FireWood configuration file, as shown back in Table 2.\r\nThe structure of sent and received messages is shown in Figure 8. The outcome of executing a command varies\r\ndepending on the command type, but typically, 0x10181 indicates success, while 0x10180 denotes an error.\r\nstruct data{\r\n DWORD commandID_or_return_code_value ;\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 9 of 16\n\nBYTE data [];\r\n}\r\nFigure 8. Data. structure for C\u0026C communications used by FireWood backdoor\r\nThis backdoor is capable of executing several commands, as described in Table 3.\r\nTable 3. FireWood backdoor commands\r\nCommand\r\nID\r\nDescription\r\n0x105\r\nDownload an executable file from the C\u0026C to \u003cPATH\u003e/tmpWood and execute it with the\r\n‑UPDATE parameter.\r\n0x110 Execute a shell command using the popen function.\r\n0x111 Change connection time value in the configuration.\r\n0x112 Hide a process using the usbdev.ko kernel module.\r\n0x113 Change delay time in configuration.\r\n0x114 Change connection day value in configuration.\r\n0x132 Clean up and exit.\r\n0x181 List contents of the specified directory.\r\n0x182 Exfiltrate specified file to C\u0026C server.\r\n0x183 Delete specified file.\r\n0x184 Rename specified file.\r\n0x185 Execute specified file using the system function.\r\n0x186 Download file from C\u0026C server.\r\n0x189 Exfiltrate specified folder to C\u0026C server.\r\n0x193 Load specified kernel module or shared library.\r\n0x194 Unload specified kernel module or shared library.\r\n0x19F Modify specified file timestamp.\r\n0x200 Delete specified directory.\r\n0x201 Read content of the specified file and send it to the C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 10 of 16\n\nCommand\r\nID\r\nDescription\r\n0x1018F Search for the specified file in the folder defined in the command.\r\nOther tools\r\nWe discovered two additional tools in the archives, which could be related to Gelsemium activity: the SSH\r\npassword stealer and a small privilege escalation tool.\r\nThe SSH password stealer is an SSH client based on the open-source OpenSSH software, modified to collect\r\nusers’ SSH credentials necessary for authenticating the user’s access to a server. The adversaries replaced the\r\noriginal SSH client binary in /usr/bin/ssh with a trojanized version. While it functions as a normal SSH client, it\r\nsaves all login data in the format \u003cUSERNAME\u003e@\u003cHOST\u003e\\t\u003cPASSWORD\u003e into the file /tmp/zijtkldse.tmp.\r\nThe privilege escalation tool is a small binary, named ccc, that just escalates user privileges by setting UID and\r\nGUID of the execution context to 0 and executes a program at a path received as an argument. To perform this\r\ntechnique, the user must have root privileges to add SUID permission to this executable in advance, making it a\r\ntool for maintaining privileges rather than for obtaining them.\r\nWebshells\r\nThe login.jsp is a modified AntSword JSP webshell that executes Java bytecode from attackers. The payload, a\r\nJava class file, is base64 encoded in the tiger parameter of an HTTP POST request. The original webshell also\r\nsupports remote terminal, file operations, and database operations.\r\nThe yy1.jsp webshell, which we identified as icesword JSP, is sourced from internet forums, primarily those in\r\nChinese. The icesword JSP webshell features a complete graphical user interface within its server-side code,\r\nallowing it to render a GUI in the attacker’s browser. It is not obfuscated and collects system information,\r\nexecutes system commands, and performs file operations. It also connects to SQL databases on the compromised\r\nhost and executes SQL queries.\r\nThe a.jsp webshell, similar to login.jsp but obfuscated, carries a binary Java payload that is AES encrypted with\r\nthe key 6438B9BD2AB3C40A and then base64 encoded. The payload is provided in the Tas9er parameter. The\r\nobfuscation includes garbage comments, \\u-escaped Unicode strings (which are made harder to read), and random\r\nstring variables and function names. The result, base64 encoded and inserted into the string\r\n1F2551A37335B564\u003cbase64_encoded_result\u003e8EF53BE997851B95, is sent to the attackers in the response body.\r\nConclusion\r\nThis report describes the Linux malware toolset and its connections with Windows malware samples utilized by\r\nthe Gelsemium APT group. We have focused on capabilities of WolfsBane and FireWood backdoors, and analyzed\r\nWolfsBane execution chain and its utilization of the userland rootkit. This is the first public report documenting\r\nGelsemium’s use of Linux malware, marking a notable shift in their operational strategy.\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 11 of 16\n\nThe trend of malware shifting towards Linux systems seems to be on the rise in the APT ecosystem. From our\r\nperspective, this development can be attributed to several advancements in email and endpoint security. The ever-increasing adoption of EDR solutions, along with Microsoft’s default strategy of disabling VBA macros, are\r\nleading to a scenario where adversaries are being forced to look for other potential avenues of attack.\r\nAs a result, the vulnerabilities present in internet-facing infrastructure, particularly those systems that are Linux-based, are becoming increasingly targeted. This means that these Linux systems are becoming the new preferred\r\ntargets for these adversaries.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\n0FEF89711DA11C550D39\r\n14DEBC0E663F5D2FB86C\r\ndbus Linux/Agent.WF\r\nFireWood\r\nbackdoor.\r\n44947903B2BC760AC2E7\r\n36B25574BE33BF7AF40B\r\nlibselinux.so Linux/Rootkit.Agent.EC\r\nWolfsBane Hider\r\nrootkit.\r\n0AB53321BB9699D354A0\r\n32259423175C08FEC1A4\r\nudevd Linux/Agent.WF\r\nWolfsBane\r\nbackdoor.\r\n8532ECA04C0F58172D80\r\nD8A446AE33907D509377\r\nkde Linux/Agent.WF\r\nWolfsBane\r\nlauncher.\r\nB2A14E77C96640914399\r\nE5F46E1DEC279E7B940F\r\ncron Linux/Agent.WF\r\nWolfsBane\r\ndropper.\r\n209C4994A42AF7832F52\r\n6E09238FB55D5AAB34E5\r\nccc Linux/Agent.WF\r\nPrivilege\r\nescalation helper\r\ntool.\r\nF43D4D46BAE9AD963C2E\r\nB05EF43E90AA3A5D88E3\r\nssh Linux/SSHDoor.IC\r\nTrojanized SSH\r\nclient.\r\nFD601A54BC622C041DF0\r\n242662964A7ED31C6B9C\r\na.jsp Java/Agent.BP JSP webshell.\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 12 of 16\n\nSHA-1 Filename Detection Description\r\n9F7790524BD759373AB5\r\n7EE2AAFA6F5D8BCB918A\r\nyy1.jsp Java/JSP.J icesword webshell.\r\n238C8E8EB7A732D85D8A\r\n7F7CA40B261D8AE4183D\r\nlogin.jsp Java/Webshell.AM\r\nModified\r\nAntSword JSP\r\nwebshell.\r\nF1DF0C5A74C9885CB593\r\n4E3EEE5E7D3CF4D291C0\r\nvirus.tgz Linux/Agent.WF VirusTotal archive.\r\nB3DFB40336C2F17EC740\r\n51844FFAF65DDB874CFC\r\nvirus-b.tgz Linux/Agent.WF VirusTotal archive.\r\n85528EAC10090AE743BC\r\nF102B4AE7007B6468255\r\nCHINA-APT-Trojan.zip\r\nJava/Agent.BP VirusTotal archive.\r\nCDBBB6617D8937D17A1A\r\n9EF12750BEE1CDDF4562\r\nCHINA-APT-Trojan.zip\r\nLinux/Rootkit.Agent.EC VirusTotal archive.\r\n843D6B0054D066845628\r\nE2D5DB95201B20E12CD2\r\nCHINA-APT-Trojan.zip\r\nLinux/Rootkit.Agent.EC VirusTotal archive.\r\nBED9EFB245FAC8CFFF83\r\n33AE37AD78CCFB7E2198\r\nXl1.zip Linux/Rootkit.Agent.EC VirusTotal archive.\r\n600C59733444BC8A5F71\r\nD41365368F3002465B10\r\nCHINA-APT-Trojan.zip\r\nLinux/Rootkit.Agent.EC VirusTotal archive.\r\n72DB8D1E3472150C1BE9\r\n3B68F53F091AACC2234D\r\nvirus.tgz Linux/Agent.WF VirusTotal archive.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\nN/A dsdsei[.]com N/A 2020-08-16 WolfsBane backdoor C\u0026C server.\r\nN/A asidomain[.]com N/A 2022-01-26 FireWood backdoor C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 13 of 16\n\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure: Domains\r\nGelsemium has registered domains\r\nthrough commercial providers.\r\nT1583.004 Acquire Infrastructure: Server\r\nGelsemium most likely acquires VPS\r\nfrom commercial providers.\r\nT1587.001 Develop Capabilities: Malware\r\nGelsemium develops its own custom\r\nmalware.\r\nExecution T1059.004\r\nCommand-Line Interface: Unix\r\nShell\r\nGelsemium malware is capable of\r\nexecuting Linux shell commands.\r\nPersistence\r\nT1037.004\r\nBoot or Logon Initialization\r\nScripts: RC Scripts\r\nThe WolfsBane launcher remains\r\npersistent on the system by using RC\r\nstartup scripts.\r\nT1543.002\r\nCreate or Modify System\r\nProcess: Systemd Service\r\nThe WolfsBane dropper can create a\r\nnew system service for persistence.\r\nT1574.006\r\nHijack Execution Flow: Dynamic\r\nLinker Hijacking\r\nThe WolfsBane Hider rootkit abuses\r\nthe ld.so.preload preload technique.\r\nT1547.013\r\nBoot or Logon Autostart\r\nExecution: XDG Autostart\r\nEntries\r\nThe FireWood backdoor persists on\r\nthe system by creating the gnome-control.desktop autostart file.\r\nPrivilege\r\nEscalation T1546.004\r\nEvent Triggered Execution:\r\n.bash_profile and .bashrc\r\nThe WolfsBane dropper tampers with\r\nvarious shell configuration files to\r\nachieve persistence.\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 14 of 16\n\nTactic ID Name Description\r\nT1548.001\r\nAbuse Elevation Control\r\nMechanism: Setuid and Setgid\r\nGelsemium uses a simple tool abusing\r\nsetuid and setguid for keeping\r\nescalated privileges.\r\nDefense\r\nEvasion\r\nT1070.004 Indicator Removal: File Deletion\r\nThe WolfsBane dropper removes\r\nitself.\r\nT1070.006 Indicator Removal: Timestomp\r\nThe FireWood backdoor has a\r\ncommand for modifying the MAC\r\ntime of files.\r\nT1070.009\r\nIndicator Removal: Clear\r\nPersistence\r\nThe WolfsBane dropper removes\r\nitself from disk.\r\nT1564.001\r\nHide Artifacts: Hidden Files and\r\nDirectories\r\nBoth the WolfsBane and FireWood\r\nbackdoors are located/installed in\r\nhidden folders.\r\nT1222.002\r\nFile Permissions Modification:\r\nLinux and Mac File and\r\nDirectory Permissions\r\nModification\r\nThe WolfsBane dropper uses Linux\r\nchmod commands to modify\r\npermissions of dropped executables.\r\nT1027.009\r\nObfuscated Files or Information:\r\nEmbedded Payloads\r\nThe WolfsBane dropper has all its\r\npayloads compressed and embedded.\r\nT1014 Rootkit\r\nBoth WolfsBane and FireWood\r\nmalware utilize rootkits for evasion.\r\nT1036.005\r\nMasquerading: Match Legitimate\r\nName or Location\r\nGelsemium often names its malware\r\nto match legitimate files and folders.\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 15 of 16\n\nTactic ID Name Description\r\nDiscovery\r\nT1082 System Information Discovery\r\nThe WolfsBane dropper enumerates\r\nsystem information.\r\nT1083 File and Directory Discovery\r\nThe FireWood backdoor is capable of\r\nsearching in the machine file system\r\nfor specified files and folders.\r\nCollection T1056 Input Capture\r\nThe SSH password stealer captures\r\nuser credentials.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nThe FireWood backdoor exfiltrates\r\ncollected data utilizing C\u0026C\r\ncommunications.\r\nSource: https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nhttps://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/" ], "report_names": [ "unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine" ], "threat_actors": [ { "id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424", "created_at": "2023-01-06T13:46:39.290101Z", "updated_at": "2026-04-10T02:00:03.275981Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "狼毒草" ], "source_name": "MISPGALAXY:Gelsemium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "77874718-7ad2-4d15-9831-10935ab9bcbe", "created_at": "2022-10-25T15:50:23.619911Z", "updated_at": "2026-04-10T02:00:05.349462Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Gelsemium" ], "source_name": "MITRE:Gelsemium", "tools": [ "Gelsemium", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434502, "ts_updated_at": 1775791636, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad6740045c5dc9af006d2517ce6f8b17bda5a79d.pdf", "text": "https://archive.orkl.eu/ad6740045c5dc9af006d2517ce6f8b17bda5a79d.txt", "img": "https://archive.orkl.eu/ad6740045c5dc9af006d2517ce6f8b17bda5a79d.jpg" } }