A China-based advanced persistent threat (APT) group, Gelsemium, has been linked to two Linux malware families — WolfsBane and FireWood — capable of stealing sensitive data, maintaining stealthy access, and executing remote commands. This marks the first known instance of the group employing Linux malware, signalling a growing focus on exploiting vulnerabilities in widely used Linux-based systems.
Researchers have identified WolfsBane as the Linux counterpart of Gelsemium’s well-known Gelsevirine malware. They also found that both Windows and Linux variants use identical approaches for handling commands from command-and-control (C&C) servers. For instance, experts found overlapping field names and consistent values, such as ‘pluginkey’ and ‘controller_version.’
Furthermore, researchers also found the shared domain ‘dsdesi[.]com’, flagged as an indicator of compromise (IoC) for Gelsemium.
WolfsBane is part of a three-stage attack chain involving a dropper, launcher, and backdoor. The malware can hide its presence using a modified open-source rootkit while ensuring persistence on infected systems. Its design emphasises the group’s sophistication, with custom libraries for network communication and encryption mechanisms similar to those of its Windows predecessor.
The dropper deploys hidden components, establishes persistence, and disables security features like SELinux. The launcher masquerades as a legitimate KDE component while initialising the backdoor. Finally, the backdoor facilitates C&C communication, encrypts critical payloads, and evades detection through a modified userland rootkit.
In addition to WolfsBane, the backdoor FireWood has also been identified, albeit with less certainty of its connection to Gelsemium. FireWood appears to be a continuation of a long-running malware lineage known as Project Wood, dating back to 2005.
While its link to Gelsemium is less definitive, the backdoor’s advanced capabilities suggest it could be a part of a shared toolkit among multiple China-aligned hacking groups.
FireWood is equipped to exfiltrate files, execute remote commands, and modify system configurations, reinforcing its role in sustained cyberespionage campaigns.
Researchers believe the tools discovered indicate a broader trend in the APT ecosystem: an increased focus on Linux-based systems. As security measures for Windows platforms have advanced — such as the widespread adoption of endpoint detection and response (EDR) tools and disabling Visual Basic for Applications (VBA) macros — attackers are exploring other avenues.
Experts uncovered evidence suggesting the Gelseimum group accessed its targets through vulnerabilities in web applications. Malware archives uploaded from Taiwan, the Philippines, and Singapore point to compromised servers running Apache Tomcat. These findings align with the group’s historical targeting of entities across East Asia and the Middle East, further highlighting their focus on high-value intelligence operations.
“The trend of malware shifting towards Linux systems seems to be on the rise in the APT ecosystem. From our perspective, this development can be attributed to several advancements in email and endpoint security,” researchers concluded. “The ever-increasing adoption of EDR solutions, along with Microsoft’s default strategy of disabling VBA macros, are leading to a scenario where adversaries are being forced to look for other potential avenues of attack.”
In the News: OpenAI explores browser plans, expanding search ambitions