<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="canonical" href="https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/"><title>Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine</title><meta content="article" property="og:type"><meta content="https://web-assets.esetstatic.com/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" property="og:image"><meta property="og:title" content="Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine"><meta property="og:description" content="ESET researchers analyzed previously unknown Linux backdoors that are connected to known Windows malware used by the China-aligned Gelsemium group, as well as to Project Wood."><meta name="robots" content="index, follow, max-image-preview:large, max-video-preview:-1"><meta name="description" content="ESET researchers analyzed previously unknown Linux backdoors that are connected to known Windows malware used by the China-aligned Gelsemium group, as well as to Project Wood."><meta name="twitter:title" content="Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine"> <!-- Preloading resources --> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-BookLF-405f3258.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-BoldLF-31f4bc72.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-DemiLF-8885b886.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://web-assets.esetstatic.com/tn/-x266/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" as="image" media="(max-width: 768px)"> <link rel="preload" href="https://web-assets.esetstatic.com/tn/-x425/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" as="image" media="(min-width: 768.1px)"> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/article-header-995fa639.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/article-header-995fa639.js"></script> <script> window.addEventListener('pageLoaded', () => { window.dispatchEvent(new CustomEvent('postPageViewed', { detail: { 'id': 18327, 'publicationId': 30922, 'name': 'Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine', 'author': 'Viktor Šperka', 'category': 'ESET Research', 'section': null, 'branch': 'en', 'date': '2024/11/21' } })); }); </script> <!-- Google Tag Manager --> <script type="module"> window.addEventListener("pageLoaded", () => { (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-PMDGSM'); }); </script> <!-- End Google Tag Manager --> <script type="module"> window.dispatchEvent(new CustomEvent("pageLoaded")); </script> <!-- Styles --> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/app-22f82615.css" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/app-22f82615.css" /> <!-- Others --> <script> window.$current_language = JSON.parse('{"id":1,"code":"en","name":"English","is_pblic":true,"is_active":true,"is_default":true,"is_rtl":false}'); </script> <script>(window.BOOMR_mq=window.BOOMR_mq||[]).push(["addVar",{"rua.upush":"false","rua.cpush":"false","rua.upre":"false","rua.cpre":"false","rua.uprl":"false","rua.cprl":"false","rua.cprf":"false","rua.trans":"","rua.cook":"false","rua.ims":"false","rua.ufprl":"false","rua.cfprl":"false","rua.isuxp":"false","rua.texp":"norulematch","rua.ceh":"false","rua.ueh":"false","rua.ieh.st":"0"}]);</script> <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="7R9SM-QGSYF-QDLJK-UETXR-SPM6B",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"7R9SM-QGSYF-QDLJK-UETXR-SPM6B";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="bdpnbevydn5wcz2cywtq-f-3de252493-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"39","ak.cp":"1251022","ak.ai":parseInt("757730",10),"ak.ol":"0","ak.cr":2,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"24662b25","ak.r":41571,"ak.a2":n,"ak.m":"dscr","ak.n":"ff","ak.bpcip":"8.222.208.0","ak.cport":48874,"ak.gh":"184.27.123.93","ak.quicv":"","ak.tlsv":"tls1.2","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1732429223","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==Nq5xzj2p8lpEfi88p7QKQLjgfVkOJcO35MXHBtb0MdPYrcG+tNQ9gWOYT09Ub8UeH4Tulw+tMgd6c8i5n8YbkVfWRZGuKStSSRanmoQQ0QTFGBEANVAg/DEXvt4iud9zpUUzYGxPMXkRLrFS3Wc0ckB3x7QmJFJ+/L3hu58GNeCL13zlGfIrTVl1C81zauWIPfNVVGRX3nDp059Yg5TMoakIlmFXNZQFtPql1yz1Gj7YB+2fc4KWwByTq6ubXO8imfncD68nSY+Poze1a7U9Sw8OP1f0z3bVk6nXow/nLzXB9/ezYjvcqcxvhZwKZ4NFu2AN7rL9ZFp4SUxlFgj1nv0KyuuxTwKThgKAyEqz2gVf2gAom0R6RpwOivX+YwauBGfx/fUNdExq5PxswN5R4THg3UwYzFEhZct9u6m255s=","ak.pv":"20","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head> <body> <!-- Google Tag Manager (noscript) --> <noscript> <iframe src=https://www.googletagmanager.com/ns.html?id=GTM-PMDGSM height="0" width="0" style="display:none;visibility:hidden"></iframe> </noscript> <!-- End Google Tag Manager (noscript) --> <div id="app" > <!-- navbar --> <header id="wls-nav-header" class="wls-header navbar sticky-top navbar-expand-lg has-shadow"> <div class="container first-line"> <a class="header-brand" href="/en/" title="WeLiveSecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> <p> Award-winning news, views, and insight from the ESET security community </p> <div class="ms-auto"> <div class="language-picker dropdown"><div class="language-picker-wrapper"><button class="btn dropdown-toggle" type="button" data-bs-toggle="dropdown"aria-expanded="false">English</button><ul class="dropdown-menu dropdown-menu-center"><a class="dropdown-item" href="/es/" title="Español">Español</a><a class="dropdown-item" href="/de/" title="Deutsch">Deutsch</a><a class="dropdown-item" href="/pt/" title="Português">Português</a><a class="dropdown-item" href="/fr/" title="Français">Français</a></ul></div></div> </div> </div> <div class="second-line"> <div class="container"> <div class="navbar-header"> <a class="header-brand" href="/en/" title="WeLiveSecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> <div class="me-2"> <button class=" navbar-toggler button-hamburger collapsed d-flex d-lg-none flex-column justify-content-around" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNavDropdown" aria-controls="navbarNavDropdown" aria-expanded="false" aria-label="This is toggle button"><span class="toggler-icon top-bar"></span><span class="toggler-icon middle-bar"></span><span class="toggler-icon bottom-bar"></span></button> </div> </div> <nav id="navbarNavDropdown" class="collapse navbar-collapse page-navbar"><ul class="navbar-nav"><li class="nav-item d-lg-none"><div class="search-bar-input"><search-bar-component placeholder="Search WeLiveSecurity"class="search-bar-component-wrapper"></search-bar-component></div></li><li class="nav-item"><a class="nav-link" href="/en/tips-advice/" title="TIPS &amp; ADVICE"><span class="">TIPS &amp; ADVICE</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item"><a class="nav-link" href="/en/business-security/" title="BUSINESS SECURITY"><span class="">BUSINESS SECURITY</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="ESET RESEARCH" role="button" data-bs-toggle="dropdown"aria-expanded="false">ESET RESEARCH</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/about-eset-research/" title="About ESET Research"><span class="">About ESET Research</span></a><a class="dropdown-item" href="/en/eset-research/" title="Blogposts"><span class="">Blogposts</span></a><a class="dropdown-item" href="/en/podcasts/" title="Podcasts"><span class="">Podcasts</span></a><a class="dropdown-item" href="/en/white-papers/" title="White papers"><span class="">White papers</span></a><a class="dropdown-item" href="/en/threat-reports/" title="Threat reports"><span class="">Threat reports</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item"><a class="nav-link" href="/en/we-live-science/" title="WeLiveScience"><span class="button-link">WeLiveScience</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="FEATURED" role="button" data-bs-toggle="dropdown"aria-expanded="false">FEATURED</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/ukraine-crisis-digital-security-resource-center/" title="Ukraine crisis – Digital security resource center"><span class="">Ukraine crisis – Digital security resource center</span></a><a class="dropdown-item" href="/en/we-live-progress/" title="WeLiveProgress"><span class="">WeLiveProgress</span></a><a class="dropdown-item" href="/en/covid-19/" title="COVID-19"><span class="">COVID-19</span></a><a class="dropdown-item" href="/en/resources/" title="Resources"><span class="">Resources</span></a><a class="dropdown-item" href="/en/videos/" title="Videos"><span class="">Videos</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="TOPICS" role="button" data-bs-toggle="dropdown"aria-expanded="false">TOPICS</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/cybersecurity/" title="Digital Security"><span class="">Digital Security</span></a><a class="dropdown-item" href="/en/scams/" title="Scams"><span class="">Scams</span></a><a class="dropdown-item" href="/en/how-to/" title="How to"><span class="">How to</span></a><a class="dropdown-item" href="/en/privacy/" title="Privacy"><span class="">Privacy</span></a><a class="dropdown-item" href="/en/cybercrime/" title="Cybercrime"><span class="">Cybercrime</span></a><a class="dropdown-item" href="/en/kids-online/" title="Kids online"><span class="">Kids online</span></a><a class="dropdown-item" href="/en/social-media/" title="Social media"><span class="">Social media</span></a><a class="dropdown-item" href="/en/internet-of-things/" title="Internet of Things"><span class="">Internet of Things</span></a><a class="dropdown-item" href="/en/malware/" title="Malware"><span class="">Malware</span></a><a class="dropdown-item" href="/en/ransomware/" title="Ransomware"><span class="">Ransomware</span></a><a class="dropdown-item" href="/en/secure-coding/" title="Secure coding"><span class="">Secure coding</span></a><a class="dropdown-item" href="/en/mobile-security/" title="Mobile security"><span class="">Mobile security</span></a><a class="dropdown-item" href="/en/critical-infrastructure/" title="Critical infrastructure"><span class="">Critical infrastructure</span></a><a class="dropdown-item" href="/en/about-eset-research/" title="Threat research"><span class="">Threat research</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="ABOUT US" role="button" data-bs-toggle="dropdown"aria-expanded="false">ABOUT US</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/company/about-us/" title="About WeLiveSecurity"><span class="">About WeLiveSecurity</span></a><a class="dropdown-item" href="/en/our-experts/" title="Our Experts"><span class="">Our Experts</span></a><a class="dropdown-item" href="/en/company/contact-us/" title="Contact Us"><span class="">Contact Us</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown d-lg-none"><a class="nav-link dropdown-toggle languages" href="/en/" title="English" role="button"data-bs-toggle="dropdown" aria-expanded="false">English</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/es/" title="Español">Español</a><a class="dropdown-item" href="/de/" title="Deutsch">Deutsch</a><a class="dropdown-item" href="/pt/" title="Português">Português</a><a class="dropdown-item" href="/fr/" title="Français">Français</a></div></div></li><li class="nav-item ms-auto d-none d-lg-block"><button class="nav-link ms-auto search-button-close" type="button" data-bs-toggle="collapse"data-bs-target=".search-bar-wrapper" aria-expanded="false"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.9485 19.9001" fill="#424D56"><path d="m19.5429,17.9473l-4.86-4.852c2.7034-3.5802,1.9927-8.674-1.5874-11.3774C9.5153-.9856,4.4214-.2749,1.718,3.3053-.9854,6.8854-.2747,11.9793,3.3055,14.6827c1.4094,1.0643,3.1273,1.6402,4.8934,1.6406,1.7749.0083,3.5023-.5739,4.91-1.655l4.883,4.829c.207.2113.4912.329.787.326.2948-.0022.5771-.1191.787-.326.4163-.4365.406-1.126-.023-1.55Zm-11.316-3.821c-3.2811-.0017-5.9396-2.663-5.9378-5.9442.0017-3.2811,2.663-5.9396,5.9442-5.9378,1.5726.0008,3.0806.6251,4.1937,1.736,1.1259,1.1056,1.7528,2.6221,1.736,4.2-.0007,1.5744-.6249,3.0845-1.736,4.2-1.1067,1.1254-2.6216,1.7552-4.2,1.746Z" /></svg></button></li></ul><div class="search-bar"><div class="collapse search-bar-wrapper"><div class="search-bar-input"><search-bar-component placeholder="Search WeLiveSecurity"class="search-bar-component-wrapper"></search-bar-component><button class="nav-link search-button-close" type="button" data-bs-toggle="collapse"data-bs-target=".search-bar-wrapper" aria-expanded="false"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 18.1065 18.0626"><polygon points="10.6883 9.0363 17.4683 15.8163 15.8383 17.4463 9.0583 10.6663 2.2683 17.4463 .6383 15.8163 7.4283 9.0363 .6383 2.2463 2.2683 .6163 9.0583 7.4063 15.8383 .6163 17.4683 2.2463 10.6883 9.0363" /></svg></button></div></div></div></nav> </div> </div> <div class="additional-info d-none"> <div class="container"> <p> Award-winning news, views, and insight from the ESET security community </p> </div> </div> </header> <!-- main content --> <div id="main"> <div class="container article-page py-5"> <div class="row"> <div class="col col-lg-8 pe-lg-0"> <div class="article-header"> <p class="category text-uppercase">ESET Research</p> <h1 class="page-headline">Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine</h1> <p class="sub-title">ESET researchers analyzed previously unknown Linux backdoors that are connected to known Windows malware used by the China-aligned Gelsemium group, and to Project Wood</p> <div class="article-authors d-flex flex-wrap"><div class="article-author d-flex"><a href="/en/our-experts/viktor-sperka1/" title="Viktor Šperka"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x45/wls/2023/2023-8/viktor-1.jpeg" media="(max-width: 768px)" /><img class="author-image me-3" src="https://web-assets.esetstatic.com/tn/-x45/wls/2023/2023-8/viktor-1.jpeg" alt="Viktor Šperka" /></picture></a><div class="author-text"><p><a href="/en/our-experts/viktor-sperka1/" title="Viktor Šperka"><b>Viktor Šperka</b></a></p></div></div></div> <p class="article-info mb-5"> <span>21 Nov 2024</span> <span class="d-none d-lg-inline">&nbsp;&bull;&nbsp;</span> <span class="d-inline d-lg-none">, </span> <span>18 min. read</span> </p> <div class="hero-image-container"> <picture><source srcset="https://web-assets.esetstatic.com/tn/-x266/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" media="(max-width: 768px)" /><source srcset="https://web-assets.esetstatic.com/tn/-x425/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" media="(max-width: 1120px)" /><img class="hero-image" src="https://web-assets.esetstatic.com/tn/-x700/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" alt="Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine" /></picture> </div> </div> <div class="article-body"> <p>ESET researchers have identified multiple samples of Linux backdoor, which we have named WolfsBane, that we attribute with high confidence to the Gelsemium advanced persistent threat (APT) group. This China-aligned threat actor has a known history dating back to 2014 and until now, there have been no public reports of Gelsemium using Linux malware. Additionally, we discovered another Linux backdoor, which we named FireWood. However, we cannot definitively link FireWood to other Gelsemium tools, and its presence in the analyzed archives might be coincidental. Thus, we attribute FireWood to Gelsemium with low confidence, considering it could be a tool shared among multiple China-aligned APT groups.</p> <p>The most notable samples we found in archives uploaded to VirusTotal are two backdoors resembling known Windows malware used by Gelsemium. WolfsBane is the Linux counterpart of Gelsevirine, while FireWood is connected to Project Wood. We also discovered other tools potentially related to Gelsemium&rsquo;s activities. The goal of the backdoors and tools discovered is cyberespionage targeting sensitive data such as system information, user credentials, and specific files and directories. These tools are designed to maintain persistent access and execute commands stealthily, enabling prolonged intelligence gathering while evading detection.</p> <p>The trend of APT groups focusing on Linux malware is becoming more noticeable. We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft&rsquo;s decision to disable Visual Basic for Applications (VBA) macros by default. Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux.</p> <p>In this blogpost, we provide technical analysis of the Linux malware, mainly focusing on the two different backdoors.</p> <blockquote> <div><strong>Key points of the blogpost:</strong></div> <ul> <li>ESET researchers found archives with multiple Linux samples, containing two previously unknown backdoors.</li> <li>The first backdoor, WolfsBane, is a Linux version of Gelsevirine, a Windows backdoor used by Gelsemium.</li> <li>Its dropper is the equivalent of the Gelsemine dropper, and features a hider based on an open-source userland rootkit.</li> <li>The second backdoor, which we have named FireWood, is connected to Project Wood. The Windows version of the Project Wood backdoor was previously used by the Gelsemium group in Operation TooHash.</li> <li>Alongside the backdoors, we found additional tools, mainly web shells based on publicly available code.</li> </ul> </blockquote> <h2>Overview</h2> <p>In 2023, we found these samples in archives uploaded to VirusTotal from Taiwan, the Philippines, and Singapore, probably originating from an incident response on a compromised server. Gelsemium has <a href="https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/" target="_blank" rel="noopener">previously</a> targeted entities in Eastern Asia and the Middle East.</p> <p>The first backdoor is a part of a simple loading chain consisting of the dropper, launcher, and backdoor. We named this malware WolfsBane. As explained in the <a href="#Attribution and connection"><em>Attribution and connection</em></a> and <em><a href="#Technical analysis">Technical analysis</a></em> sections, WolfsBane is a Linux equivalent of Gelsemium&rsquo;s Gelsevirine backdoor and the WolfsBane dropper is analogous to the Gelsemine dropper. Our name for Gelsemium comes from one possible translation of the name we found in the report from <a href="https://www.venustech.com.cn/uploads/2018/08/231401512426.pdf" target="_blank" rel="noopener">VenusTech</a>, who dubbed the group 狼毒草. It&rsquo;s the name of a genus of flowering plants in the family Gelsemiaceae, and <em>Gelsemium elegans</em> is the species that contains toxic compounds like Gelsemine, Gelsenicine, and Gelsevirine, which we chose as names for the three components of this malware family. We previously analyzed Gelsevirine and Gelsemine in <a href="https://web-assets.esetstatic.com/wls/2021/06/eset_gelsemium.pdf" target="_blank" rel="noopener">this white paper</a>. Part of the analyzed WolfsBane attack chain is also a modified open-source userland rootkit, a type of software that exists in the user space of an operating system and hides its activities.</p> <p>The second backdoor, which we named FireWood, is connected to a backdoor tracked by ESET researchers under the name Project Wood, previously analyzed in the <em>Project Wood</em> section of <a href="https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/" target="_blank" rel="noopener">this blogpost</a>. We have traced it back to 2005 and observed it evolving into more sophisticated versions.</p> <p>The archives we analyzed also contain several additional tools, mostly webshells, that allow remote control to a user once they are installed on a compromised server, and simple utility tools.</p> <h2>Attribution and connection<a id="Attribution and connection"></a></h2> <p>In this section, we explain the similarities that led us to attribute the WolfsBane malware to the Gelsemium APT group and establish a connection between the FireWood backdoor and the Project Wood malware.</p> <h3>WolfsBane links to Windows Gelsevirine</h3> <p>Based on the following similarities, we assess that the WolfsBane backdoor is the Linux version of <a href="https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/" target="_blank" rel="noopener">Gelsevirine</a>. Therefore, we attribute WolfsBane to the Gelsemium APT group with high confidence:</p> <ul> <li><strong>Custom libraries for network communication:</strong> Both the Linux and Windows versions load an embedded custom library for network communication, with a different library for each communication protocol used. The backdoor accesses the library&rsquo;s functions by calling its <span style="font-family: courier new, courier, monospace;">create_seesion</span> export/symbol; notably, the typo <span style="font-family: courier new, courier, monospace;">seesion</span> is the same in both versions (as shown in Figure 1).</li> </ul> <figure class="image"><img title="Figure 1. Accessing the create_seesion export in Linux (left) and Windows (right) versions of backdoor" src="https://web-assets.esetstatic.com/wls/2024/11-2024/wolfsbane/figure-1.jpeg" alt="Figure 1. Accessing the create_seesion export in Linux and Windows versions of backdoor" width="" height="" /> <figcaption><em>Figure 1. Accessing the </em><span style="font-family: courier new, courier, monospace;">create_seesion</span><em> export in Linux (left) and Windows (right) versions of backdoor</em></figcaption> </figure> <ul> <li><strong>Command execution mechanism:</strong> Both versions use the same mechanism for executing commands received from the C&amp;C server. The backdoor creates a table with hashes (derived from the command name) and corresponding pointers to functions that handle those commands (Figure 2). We provide more details in the <em><a href="#Technical analysis">Technical analysis</a></em> section.</li> </ul> <figure class="image"><img title="Figure 2. Comparison of plugin command names found in the Linux Wolfsbane (left) and Windows Gelsevirine (right) backdoors" src="https://web-assets.esetstatic.com/wls/2024/11-2024/wolfsbane/figure-2.jpeg" alt="Figure 2. Comparison of plugin command names" width="" height="" /> <figcaption><em>Figure 2. Comparison of plugin command names found in the Linux Wolfsbane (left) and Windows Gelsevirine (right) backdoors</em></figcaption> </figure> <ul> <li><strong>Configuration structure:</strong> Both backdoors use a very similar configuration structure. While the Linux version has some omitted fields and some extra ones, most of the field names are consistent. For example, the value of <span style="font-family: courier new, courier, monospace;">pluginkey</span> found in the configuration is the same as in all Windows Gelsevirine samples from 2019. Additionally, the <span style="font-family: courier new, courier, monospace;">controller_version</span> values in the Linux version configuration match those in the Gelsevirine samples.</li> <li><strong>Domain Usage: </strong>The domain <span style="font-family: courier new, courier, monospace;">dsdsei[.]com</span>, used by the Linux version, was previously flagged by ESET researchers as an indicator of compromise (IoC) associated with the Gelsemium APT group.</li> </ul> <h3>FireWood connection to Project Wood</h3> <p>We have found code similarities between the FireWood sample and the backdoor used in Operation TooHash (SHA-1: <span style="font-family: courier new, courier, monospace;">ED5342D9788392C6E854AAEFA655C4D3B4831B6B</span>), as <a href="https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" target="_blank" rel="noopener">described by G&nbsp;DATA</a>, who consider it to be a part of the DirectsX rootkit. ESET researchers later named this backdoor <a href="https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/" target="_blank" rel="noopener">Project Wood</a>. Those similarities include:</p> <ul> <li><strong>Naming conventions:</strong> Both use the "Wood" string in naming. For example, the FireWood backdoor configuration structure is referenced by the symbol <span style="font-family: courier new, courier, monospace;">WoodConf</span>, and Win32 versions use the mutex name <span style="font-family: courier new, courier, monospace;">IMPROVING CLIENT Want Wood To Exit?</span>.</li> <li><strong>File extensions:</strong> Both samples share specific filename extensions such as <span style="font-family: courier new, courier, monospace;">.k2</span> and <span style="font-family: courier new, courier, monospace;">.v2</span>.</li> <li><strong>TEA encryption algorithm:</strong> The implementation of the TEA encryption algorithm with a variable number of rounds is the same in both samples.</li> <li><strong>C&amp;C communication strings:</strong> Both samples use the same strings in the code responsible for C&amp;C communications, XORed with the same single-byte key (<span style="font-family: courier new, courier, monospace;">0x26</span>).</li> <li><strong>Networking code:</strong> The networking code in both samples is very similar.</li> </ul> <p>Based on these findings, we assess with high confidence that the FireWood backdoor is the Linux continuation of the Project Wood backdoor. A connection between the FireWood backdoor to other Gelsemium tools cannot be proved and its presence in the archives analyzed could be coincidental. So, we make our attribution to Gelsemium only with low confidence and acknowledge the possibility that it is a tool shared by multiple Chinese APT groups, perhaps through a common digital quartermaster as we have seen with other China-aligned groups.</p> <h2>Technical analysis<a id="Technical analysis"></a></h2> <p>The <a href="https://www.virustotal.com/gui/file/3aa8a5afa686e6b21fcc268760ea1f344560607abe9a3edb3f23d14a6032597b">first archive</a> was uploaded to VirusTotal on March 6^th, 2023, from Taiwan. Subsequent archives were uploaded also from the Philippines and Singapore. Based on the folder structure (Figure 3), the target was probably an Apache Tomcat webserver running an unidentified Java web application.</p> <figure class="image"><img title="Figure 3. Example of archive structure" src="https://web-assets.esetstatic.com/wls/2024/11-2024/wolfsbane/figure-3-1.png" alt="Figure 3. Example of archive structure" width="" height="" /> <figcaption><em>Figure 3. Example of archive structure</em></figcaption> </figure> <h4>Initial access</h4> <p>Although we lack concrete evidence regarding the initial access vector, the presence of multiple webshells (as shown in Table 1 and described in the <em><a href="#Webshells">Webshells</a> </em>section) and the tactics, techniques, and procedures (TTPs) used by the Gelsemium APT group in recent years, we conclude with medium confidence that the attackers exploited an unknown web application vulnerability to gain server access.</p> <p style="text-align: center;"><em>Table 1. Webshells found in analyzed archives</em></p> <p><table border="1" width="642" cellspacing="0" cellpadding="0"> <thead> <tr> <td width="0"><strong>SHA-1</strong></td> <td width="0"><strong>Filename</strong></td> <td width="0"><strong>Description</strong></td> </tr> </thead> <tbody> <tr> <td width="0"><span style="font-family: courier new, courier, monospace;">238C8E8EB7A732D85D8A<wbr />7F7CA40B261D8AE4183D</span></td> <td width="0"><span style="font-family: courier new, courier, monospace;">login.jsp</span></td> <td width="0">Modified <a href="https://github.com/AntSwordProject/AntSword-JSP-Template/blob/master/web/shell.jsp" target="_blank" rel="noopener">AntSword JSP</a> webshell.</td> </tr> <tr> <td width="0"><span style="font-family: courier new, courier, monospace;">9F7790524BD759373AB5<wbr />7EE2AAFA6F5D8BCB918A</span></td> <td width="0"><span style="font-family: courier new, courier, monospace;">yy1.jsp</span></td> <td width="0"><a href="https://github.com/tennc/webshell/blob/master/jsp/icesword.jsp" target="_blank" rel="noopener">icesword</a> webshell.</td> </tr> <tr> <td width="0"><span style="font-family: courier new, courier, monospace;">FD601A54BC622C041DF0<wbr />242662964A7ED31C6B9C</span></td> <td width="0"><span style="font-family: courier new, courier, monospace;">a.jsp</span></td> <td width="0">Obfuscated JSP webshell.</td> </tr> </tbody> </table></p> <h3>Toolset</h3> <h4>WolfsBane</h4> <p>WolfsBane components and chain of execution are depicted in Figure 4.</p> <figure class="image"><img title="Figure 4. WolfsBane execution chain" src="https://web-assets.esetstatic.com/wls/2024/11-2024/wolfsbane/figure-4.jpeg" alt="Figure 4. WolfsBane execution chain" width="" height="" /> <figcaption><em>Figure 4. WolfsBane execution chain</em></figcaption> </figure> <h5>Stage 1: WolfsBane dropper</h5> <p>The dropper for WolfsBane was found in a file named <span style="font-family: courier new, courier, monospace;">cron</span>, mimicking the <a href="https://en.wikipedia.org/wiki/Cron">legitimate command scheduling tool</a>. Upon execution, it first places the launcher and the primary backdoor in the <span style="font-family: courier new, courier, monospace;">$HOME/.Xl1</span> hidden directory (note the use of the letter l), created by the dropper. The directory is most likely deliberately named to resemble X11 &ndash; a commonly used folder name in the <a href="https://en.wikipedia.org/wiki/X_Window_System">X Window System</a>.</p> <p>The dropper then establishes persistence based on the system&rsquo;s configuration and execution context:</p> <p>If executed as <span style="font-family: courier new, courier, monospace;">root</span>:</p> <ul> <li>Checks for the presence of the <span style="font-family: courier new, courier, monospace;">systemd</span> suite.</li> <li>If <span style="font-family: courier new, courier, monospace;">systemd</span> is present, writes the file <span style="font-family: courier new, courier, monospace;">/lib/systemd/system/display-managerd.service</span> with the path to the next stage (WolfsBane launcher) as the <span style="font-family: courier new, courier, monospace;">ExecStart</span> entry (see Figure 5). This ensures the launcher runs as a system service, because <span style="font-family: courier new, courier, monospace;">.service</span> files in this folder are parsed during system startup.</li> <li>Disables the <a href="https://www.redhat.com/en/topics/linux/what-is-selinux">SELinux</a> &nbsp;security module by changing the <span style="font-family: courier new, courier, monospace;">SELINUX</span> entry in the SELinux configuration file from <span style="font-family: courier new, courier, monospace;">enforcing to disabled</span>.</li> </ul> <pre class="language-nginx"><code>[Unit] Description=Display-Manager [Service] Type=simple ExecStart=&lt;PATH_TO_LAUNCHER_EXECUTABLE&gt; [Install] WantedBy=multi-user.targetComment</code></pre> <p style="text-align: center;"><em>Figure 5. Content of the </em><span style="font-family: courier new, courier, monospace;">display-managerd.service</span><em> file</em></p> <p>If <span style="font-family: courier new, courier, monospace;">systemd</span> is not present, the dropper writes a simple bash script that executes the launcher (Figure 6), to a file named <span style="font-family: courier new, courier, monospace;">S60dlump</span> into all <span style="font-family: courier new, courier, monospace;">rc[1-5].d</span> startup folders.</p> <pre class="language-markup"><code>#!/bin/bash /usr/bin/.Xl1/kde</code></pre> <p style="text-align: center;"><em>Figure 6. Script executing WolfsBane launcher</em></p> <p>If executed as an unprivileged user on a Debian-based system, it:</p> <ul> <li>writes a similar bash script to the <span style="font-family: courier new, courier, monospace;">profile.sh</span> file, and</li> <li>adds the command <span style="font-family: courier new, courier, monospace;">/home/www/.profile.sh 2&gt;/dev/null</span> to <span style="font-family: courier new, courier, monospace;">.bashrc</span> and <span style="font-family: courier new, courier, monospace;">.profile</span> files in the user&rsquo;s home folder, ensuring that the Wolfsbane launcher starts automatically after the victim logs in.</li> </ul> <p>For other Linux distributions it creates the same <span style="font-family: courier new, courier, monospace;">profile.sh</span> file but adds its path only to <span style="font-family: courier new, courier, monospace;">.bashrc</span>.</p> <p>Additionally, if the dropper is executed with root privileges, it drops the WolfsBane Hider rootkit as <span style="font-family: courier new, courier, monospace;">/usr/lib/libselinux.so</span> and adds this command to <span style="font-family: courier new, courier, monospace;">/etc/ld.so.preload</span>, ensuring that the rootkit library loads into all processes.</p> <p>Finally, the dropper removes itself from the disk and executes the next stage &ndash; the launcher.</p> <h5>Stage 2: WolfsBane launcher</h5> <p>A small binary named <span style="font-family: courier new, courier, monospace;">kde</span> is used to maintain persistence, cleverly disguised as a legitimate <a href="https://en.wikipedia.org/wiki/KDE">KDE desktop component</a> to avoid detection and maintain persistence. Regardless of establishment method, the aim is to execute this binary, whose main function is to parse its embedded configuration and initiate the next stage &ndash; the WolfsBane backdoor &ndash; from the specified file in the configuration.</p> <h5>Stage 3: WolfsBane backdoor</h5> <p>The WolfsBane backdoor, stored in a file named <span style="font-family: courier new, courier, monospace;">udevd</span>, begins by loading an embedded library and calling its <span style="font-family: courier new, courier, monospace;">main_session</span> export, which contains the main backdoor functionalities. This library, named by its authors as <span style="font-family: courier new, courier, monospace;">libMainPlugin.so</span>, is analogous to the <span style="font-family: courier new, courier, monospace;">MainPlugin.dll</span> used in the Windows version of the Gelsevirine backdoor.</p> <p>Similar to its Windows version, the WolfsBane backdoor uses other embedded libraries for network communication. In the samples we&rsquo;ve collected, they are named <span style="font-family: courier new, courier, monospace;">libUdp.so</span> and <span style="font-family: courier new, courier, monospace;">libHttps.so</span>, and both export the symbol <span style="font-family: courier new, courier, monospace;">create_seesion</span> (the spelling mistake is exactly the same as in the Windows version of the Gelsevirine TCP module). These shared libraries provide C&amp;C communications via UDP and HTTPS protocols, respectively.</p> <p>The backdoor encrypts the <span style="font-family: courier new, courier, monospace;">libMainPlugin.so</span> library using the RC4 algorithm (with the key obtained from the <span style="font-family: courier new, courier, monospace;">pluginkey</span> value in the configuration) and saves it to <span style="font-family: courier new, courier, monospace;">&lt;work_directory&gt;/X1l/data/gphoto2</span>. On subsequent executions, the backdoor first checks for this file: if it exists, the file is decrypted and loaded instead of the embedded <span style="font-family: courier new, courier, monospace;">libMainPlugin.so</span>. This mechanism allows the backdoor to be updated by overwriting the file.</p> <p>The WolfsBane backdoor uses a similar approach to its Windows counterpart for executing commands received from its C&amp;C server.</p> <h5>WolfsBane Hider rootkit</h5> <p>WolfsBane backdoor uses a modified open-source <a href="https://github.com/unix-thrust/beurk/tree/dev" target="_blank" rel="noopener">BEURK</a> userland rootkit to hide its activities. Located in <span style="font-family: courier new, courier, monospace;">/usr/lib/libselinux.so</span>, this rootkit abuses the operating system&rsquo;s preload mechanism to load into new processes before other libraries by adding its path to the <span style="font-family: courier new, courier, monospace;">/etc/ld.so.preload</span> file, thus enabling its functions to hook the original ones.</p> <p>The WolfsBane Hider rootkit hooks many basic standard C library functions such as <span style="font-family: courier new, courier, monospace;">open</span>, <span style="font-family: courier new, courier, monospace;">stat</span>, <span style="font-family: courier new, courier, monospace;">readdir</span>, and <span style="font-family: courier new, courier, monospace;">access</span>. While these hooked functions invoke the original ones, they filter out any results related to the WolfsBane malware. Unlike the original BEURK rootkit, which uses an embedded configuration file for filtering, the WolfsBane developers retained the default configuration but modified the source code to exclude information related to the hardcoded filenames of the malware executables <span style="font-family: courier new, courier, monospace;">udevd</span> and <span style="font-family: courier new, courier, monospace;">kde</span>. Additionally, the original BEURK rootkit&rsquo;s network traffic-hiding features are absent.</p> <h4>FireWood backdoor</h4> <p>The FireWood backdoor, in a file named <span style="font-family: courier new, courier, monospace;">dbus</span>, is the Linux OS continuation of the Project Wood malware, as noted in the <a href="#Attribution and connection"><em>Attribution and connection</em></a> section. The analyzed code suggests that the file <span style="font-family: courier new, courier, monospace;">usbdev.ko</span> is a kernel driver module working as a rootkit to hide processes. The FireWood backdoor communicates with the kernel drivers using the <a href="https://en.wikipedia.org/wiki/Netlink">Netlink protocol</a>.</p> <p>FireWood uses a configuration file named <span style="font-family: courier new, courier, monospace;">kdeinit</span> that is XOR encrypted with the single-byte key <span style="font-family: courier new, courier, monospace;">0x26</span>. The configuration file&rsquo;s structure is detailed in Table 2.</p> <p style="text-align: center;"><em>Table 2. Selected offsets and their corresponding values from the FireWood backdoor configuration file</em></p> <p><table border="1" width="642" cellspacing="0" cellpadding="0"> <thead> <tr> <td width="75"><strong>Offset</strong></td> <td width="151"><strong>Value</strong></td> <td width="416"><strong>Meaning</strong></td> </tr> </thead> <tbody> <tr> <td width="75"><span style="font-family: courier new, courier, monospace;">0x00</span></td> <td width="151"><span style="font-family: courier new, courier, monospace;">20190531110402</span></td> <td width="416">Unknown timestamp.</td> </tr> <tr> <td width="75"><span style="font-family: courier new, courier, monospace;">0x28</span></td> <td width="151"><span style="font-family: courier new, courier, monospace;">AAAAAAAAAA</span></td> <td width="416">Placeholder for backdoor working directory.</td> </tr> <tr> <td width="75"><span style="font-family: courier new, courier, monospace;">0x3C</span></td> <td width="151"><span style="font-family: courier new, courier, monospace;">0.0.0.0</span></td> <td width="416">C&amp;C IP address (if 0.0.0.0, the backdoor uses the C&amp;C domain).</td> </tr> <tr> <td width="75"><span style="font-family: courier new, courier, monospace;">0x66</span></td> <td width="151"><span style="font-family: courier new, courier, monospace;">asidomain[.]com</span></td> <td width="416">C&amp;C domain.</td> </tr> <tr> <td width="75"><span style="font-family: courier new, courier, monospace;">0xCC</span></td> <td width="151"><span style="font-family: courier new, courier, monospace;">[scsi_eh_7]</span></td> <td width="416">Spoofed process name.</td> </tr> <tr> <td width="75"><span style="font-family: courier new, courier, monospace;">0x164</span></td> <td width="151"><span style="font-family: courier new, courier, monospace;">0x072BA1E6</span></td> <td width="416">TEA encryption key.</td> </tr> <tr> <td width="75"><span style="font-family: courier new, courier, monospace;">0x1E0</span></td> <td width="151"><span style="font-family: courier new, courier, monospace;">4</span></td> <td width="416">Connection day (backdoor connects every fourth day of the month).</td> </tr> <tr> <td width="75"><span style="font-family: courier new, courier, monospace;">0x1E4</span></td> <td width="151"><span style="font-family: courier new, courier, monospace;">5</span></td> <td width="416">Delay time.</td> </tr> <tr> <td width="75"><span style="font-family: courier new, courier, monospace;">0x1E8</span></td> <td width="151"><span style="font-family: courier new, courier, monospace;">0x0474</span></td> <td width="416">Connection time (in minutes).</td> </tr> </tbody> </table></p> <p>FireWood renames its process based on the value in the configuration.</p> <p>To establish persistence on the system, it creates a file named <span style="font-family: courier new, courier, monospace; white-space: nowrap;">/.config/autostart/gnome-control.desktop</span>. During startup, all files with a <span style="font-family: courier new, courier, monospace; white-space: nowrap;">.desktop</span> extension in the <span style="font-family: courier new, courier, monospace;">/.config/autostart/ directory</span> are parsed, and any commands listed in the <span style="font-family: courier new, courier, monospace; white-space: nowrap;">Exec</span> entry are executed. The contents of the <span style="font-family: courier new, courier, monospace;">gnome-control.desktop</span> file can be seen in Figure&nbsp;7.</p> <pre class="language-markup"><code>[Desktop Entry] Type=Application Exec=&lt;PATH/TO/OWN/EXECUTABLE&gt; Hidden=false NoDisplay=false X-GNOME-Autostart-enabled=true Name[en_US]=gnome-calculator Name=gnome-control Comment[en_US]=</code></pre> <p style="text-align: center;"><em>Figure 7. Contents of the </em><span style="font-family: courier new, courier, monospace;">gnome-control.desktop</span><em> file used for persistence by the FireWood backdoor</em></p> <p>FireWood communicates with its C&amp;C server via TCP, as specified in its configuration. All data is encrypted using the TEA encryption algorithm with a variable number of rounds. The encryption key and number of rounds are provided in the FireWood configuration file, as shown back in Table&nbsp;2.</p> <p>The structure of sent and received messages is shown in Figure 8. The outcome of executing a command varies depending on the command type, but typically, <span style="font-family: courier new, courier, monospace;">0x10181</span> indicates success, while <span style="font-family: courier new, courier, monospace;">0x10180</span> denotes an error.</p> <pre class="language-markup"><code>struct data{ DWORD commandID_or_return_code_value ; BYTE data []; }</code></pre> <p style="text-align: center;"><em>Figure 8. Data. structure for C&amp;C communications used by FireWood backdoor</em></p> <p>This backdoor is capable of executing several commands, as described in Table 3.</p> <p style="text-align: center;"><em>Table 3. FireWood backdoor commands</em></p> <p><table border="1" width="642" cellspacing="0" cellpadding="0"> <thead> <tr> <td width="113"><strong>Command ID</strong></td> <td width="529"><strong>Description</strong></td> </tr> </thead> <tbody> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x105</span></td> <td width="529">Download an executable file from the C&amp;C to <span style="font-family: courier new, courier, monospace;">&lt;PATH&gt;/tmpWood</span> and execute it with the &zwnj;<span style="font-family: courier new, courier, monospace;">‑UPDATE</span> parameter.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x110</span></td> <td width="529">Execute a shell command using the <span style="font-family: courier new, courier, monospace;">popen</span> function.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x111</span></td> <td width="529">Change connection time value in the configuration.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x112</span></td> <td width="529">Hide a process using the <span style="font-family: courier new, courier, monospace;">usbdev.ko</span> kernel module.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x113</span></td> <td width="529">Change delay time in configuration.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x114</span></td> <td width="529">Change connection day value in configuration.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x132</span></td> <td width="529">Clean up and exit.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x181</span></td> <td width="529">List contents of the specified directory.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x182</span></td> <td width="529">Exfiltrate specified file to C&amp;C server.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x183</span></td> <td width="529">Delete specified file.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x184</span></td> <td width="529">Rename specified file.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x185</span></td> <td width="529">Execute specified file using the <span style="font-family: courier new, courier, monospace;">system</span> function.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x186</span></td> <td width="529">Download file from C&amp;C server.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x189</span></td> <td width="529">Exfiltrate specified folder to C&amp;C server.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x193</span></td> <td width="529">Load specified kernel module or shared library.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x194</span></td> <td width="529">Unload specified kernel module or shared library.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x19F</span></td> <td width="529">Modify specified file timestamp.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x200</span></td> <td width="529">Delete specified directory.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x201</span></td> <td width="529">Read content of the specified file and send it to the C&amp;C server.</td> </tr> <tr> <td width="113"><span style="font-family: courier new, courier, monospace;">0x1018F</span></td> <td width="529">Search for the specified file in the folder defined in the command.</td> </tr> </tbody> </table></p> <h4>Other tools</h4> <p>We discovered two additional tools in the archives, which could be related to Gelsemium activity: the SSH password stealer and a small privilege escalation tool.</p> <p>The SSH password stealer is an SSH client based on the open-source <a href="https://www.openssh.com/">OpenSSH</a> software, modified to collect users&rsquo; SSH credentials necessary for authenticating the user&rsquo;s access to a server. The adversaries replaced the original SSH client binary in <span style="font-family: courier new, courier, monospace;">/usr/bin/ssh</span> with a trojanized version. While it functions as a normal SSH client, it saves all login data in the format <span style="font-family: courier new, courier, monospace;">&lt;USERNAME&gt;@&lt;HOST&gt;\t&lt;PASSWORD&gt;</span> into the file <span style="font-family: courier new, courier, monospace;">/tmp/zijtkldse.tmp</span>.</p> <p>The privilege escalation tool is a small binary, named <span style="font-family: courier new, courier, monospace;">ccc</span>, that just escalates user privileges by setting UID and GUID of the execution context to <span style="font-family: courier new, courier, monospace;">0</span> and executes a program at a path received as an argument. To perform this technique, the user must have root privileges to add SUID permission to this executable in advance, making it a tool for maintaining privileges rather than for obtaining them.</p> <h4>Webshells<a id="Webshells"></a></h4> <p>The <span style="font-family: courier new, courier, monospace;">login.jsp</span> is a modified <a href="https://github.com/AntSwordProject/AntSword-JSP-Template">AntSword JSP</a> webshell that executes Java bytecode from attackers. The payload, a Java class file, is base64 encoded in the <span style="font-family: courier new, courier, monospace;">tiger</span> parameter of an HTTP POST request. The original webshell also supports remote terminal, file operations, and database operations.</p> <p>The <span style="font-family: courier new, courier, monospace;">yy1.jsp</span> webshell, which we identified as icesword JSP, is sourced from internet forums, primarily those in Chinese. The icesword JSP webshell features a complete graphical user interface within its server-side code, allowing it to render a GUI in the attacker&rsquo;s browser. It is not obfuscated and collects system information, executes system commands, and performs file operations. It also connects to SQL databases on the compromised host and executes SQL queries.</p> <p>The <span style="font-family: courier new, courier, monospace;">a.jsp</span> webshell, similar to <span style="font-family: courier new, courier, monospace;">login.jsp</span> but obfuscated, carries a binary Java payload that is AES encrypted with the key <span style="font-family: courier new, courier, monospace;">6438B9BD2AB3C40A</span> and then base64 encoded. The payload is provided in the <span style="font-family: courier new, courier, monospace;">Tas9er</span> parameter. The obfuscation includes garbage comments, \u-escaped Unicode strings (which are made harder to read), and random string variables and function names. The result, base64 encoded and inserted into the string <span style="font-family: courier new, courier, monospace;">1F2551A37335B564&lt;base64_encoded_result&gt;8EF53BE997851B95</span>, is sent to the attackers in the response body.</p> <h2>Conclusion</h2> <p>This report describes the Linux malware toolset and its connections with Windows malware samples utilized by the Gelsemium APT group. We have focused on capabilities of WolfsBane and FireWood backdoors, and analyzed WolfsBane execution chain and its utilization of the userland rootkit. This is the first public report documenting Gelsemium&rsquo;s use of Linux malware, marking a notable shift in their operational strategy.</p> <p>The trend of malware shifting towards Linux systems seems to be on the rise in the APT ecosystem. From our perspective, this development can be attributed to several advancements in email and endpoint security. The ever-increasing adoption of EDR solutions, along with Microsoft&rsquo;s default strategy of disabling VBA macros, are leading to a scenario where adversaries are being forced to look for other potential avenues of attack.</p> <p>As a result, the vulnerabilities present in internet-facing infrastructure, particularly those systems that are Linux-based, are becoming increasingly targeted. This means that these Linux systems are becoming the new preferred targets for these adversaries.</p> <blockquote> <div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at <a style="background-color: #f4f4f4;" href="mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en">threatintel@eset.com</a>.&nbsp;</em></div> <div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href="https://www.eset.com/int/business/services/threat-intelligence/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine&amp;sfdccampaignid=7011n0000017htTAAQ" target="_blank" rel="noopener">ESET Threat Intelligence</a> page.</em></div> </blockquote> <h2>IoCs</h2> <p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href="https://github.com/eset/malware-ioc/tree/master/gelsemium">our GitHub repository</a>.</p> <h3>Files</h3> <p><table border="1" width="642" cellspacing="0" cellpadding="0"> <thead> <tr> <td width="179"><strong>SHA-1</strong></td> <td width="170"><strong>Filename</strong></td> <td width="142"><strong>Detection</strong></td> <td width="151"><strong>Description</strong></td> </tr> </thead> <tbody> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">0FEF89711DA11C550D39<wbr />14DEBC0E663F5D2FB86C</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">dbus</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Agent.WF</td> <td width="151">FireWood backdoor.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">44947903B2BC760AC2E7<wbr />36B25574BE33BF7AF40B</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">libselinux.so</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Rootkit.Agent.EC</td> <td width="151">WolfsBane Hider rootkit.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">0AB53321BB9699D354A0<wbr />32259423175C08FEC1A4</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">udevd</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Agent.WF</td> <td width="151">WolfsBane backdoor.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">8532ECA04C0F58172D80<wbr />D8A446AE33907D509377</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">kde</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Agent.WF</td> <td width="151">WolfsBane launcher.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">B2A14E77C96640914399<wbr />E5F46E1DEC279E7B940F</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">cron</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Agent.WF</td> <td width="151">WolfsBane dropper.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">209C4994A42AF7832F52<wbr />6E09238FB55D5AAB34E5</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">ccc</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Agent.WF</td> <td width="151">Privilege escalation helper tool.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">F43D4D46BAE9AD963C2E<wbr />B05EF43E90AA3A5D88E3</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">ssh</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/SSHDoor.IC</td> <td width="151">Trojanized SSH client.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">FD601A54BC622C041DF0<wbr />242662964A7ED31C6B9C</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">a.jsp</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Java/Agent.BP</td> <td width="151">JSP webshell.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">9F7790524BD759373AB5<wbr />7EE2AAFA6F5D8BCB918A</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">yy1.jsp</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Java/JSP.J</td> <td width="151">icesword webshell.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">238C8E8EB7A732D85D8A<wbr />7F7CA40B261D8AE4183D</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">login.jsp</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Java/Webshell.AM</td> <td width="151">Modified AntSword JSP webshell.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">F1DF0C5A74C9885CB593<wbr />4E3EEE5E7D3CF4D291C0</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">virus.tgz</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Agent.WF</td> <td width="151">VirusTotal archive.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">B3DFB40336C2F17EC740<wbr />51844FFAF65DDB874CFC</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">virus-b.tgz</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Agent.WF</td> <td width="151">VirusTotal archive.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">85528EAC10090AE743BC<wbr />F102B4AE7007B6468255</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">CHINA-APT-Trojan.zip</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Java/Agent.BP</td> <td width="151">VirusTotal archive.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">CDBBB6617D8937D17A1A<wbr />9EF12750BEE1CDDF4562</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">CHINA-APT-Trojan.zip</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Rootkit.Agent.EC</td> <td width="151">VirusTotal archive.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">843D6B0054D066845628<wbr />E2D5DB95201B20E12CD2</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">CHINA-APT-Trojan.zip</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Rootkit.Agent.EC</td> <td width="151">VirusTotal archive.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">BED9EFB245FAC8CFFF83<wbr />33AE37AD78CCFB7E2198</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">Xl1.zip</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Rootkit.Agent.EC</td> <td width="151">VirusTotal archive.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">600C59733444BC8A5F71<wbr />D41365368F3002465B10</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">CHINA-APT-Trojan.zip</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Rootkit.Agent.EC</td> <td width="151">VirusTotal archive.</td> </tr> <tr> <td width="179"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">72DB8D1E3472150C1BE9<wbr />3B68F53F091AACC2234D</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="170"><span style="font-family: courier new, courier, monospace;"> </span> <span style="font-family: courier new, courier, monospace;">virus.tgz</span><br /><span style="font-family: courier new, courier, monospace;"> </span></td> <td width="142">Linux/Agent.WF</td> <td width="151">VirusTotal archive.</td> </tr> </tbody> </table></p> <h3>Network</h3> <p><table border="1" width="642" cellspacing="0" cellpadding="0"> <thead> <tr> <td width="85"><strong>IP</strong></td> <td width="142"><strong>Domain</strong></td> <td width="123"><strong>Hosting provider</strong></td> <td width="95"><strong>First seen</strong></td> <td width="199"><strong>Details</strong></td> </tr> </thead> <tbody> <tr> <td width="85">N/A</td> <td width="142"><span style="font-family: courier new, courier, monospace;">dsdsei[.]com</span></td> <td width="123">N/A</td> <td width="95">2020⁠-⁠08⁠-⁠16</td> <td width="199">WolfsBane backdoor C&amp;C server.</td> </tr> <tr> <td width="85">N/A</td> <td width="142"><span style="font-family: courier new, courier, monospace;">asidomain[.]com</span></td> <td width="123">N/A</td> <td width="95">2022⁠-⁠01⁠-⁠26</td> <td width="199">FireWood backdoor C&amp;C server.</td> </tr> </tbody> </table></p> <h2>MITRE ATT&amp;CK techniques</h2> <p>This table was built using <a href="https://attack.mitre.org/resources/versions/">version 15</a> of the MITRE ATT&amp;CK framework.</p> <p><table style="height: 1907px;" border="1" width="642" cellspacing="0" cellpadding="0"> <thead> <tr style="height: 73px;"> <td style="height: 73px;" width="113"> <p><strong>Tactic</strong></p> </td> <td style="height: 73px;" width="113"> <p><strong>ID</strong></p> </td> <td style="height: 73px;" width="191"> <p><strong>Name</strong></p> </td> <td style="height: 73px;" width="225"> <p><strong>Description</strong></p> </td> </tr> </thead> <tbody> <tr style="height: 70px;"> <td style="height: 212px;" rowspan="3" width="113"> <p><strong>Resource Development</strong></p> </td> <td style="height: 70px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1583/001">T1583.001</a></p> </td> <td style="height: 70px;" width="191"> <p>Acquire Infrastructure: Domains</p> </td> <td style="height: 70px;" width="225"> <p>Gelsemium has registered domains through commercial providers.</p> </td> </tr> <tr style="height: 71px;"> <td style="height: 71px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1583/004">T1583.004</a></p> </td> <td style="height: 71px;" width="191"> <p>Acquire Infrastructure: Server</p> </td> <td style="height: 71px;" width="225"> <p>Gelsemium most likely acquires VPS from commercial providers.</p> </td> </tr> <tr style="height: 71px;"> <td style="height: 71px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1587/001">T1587.001</a></p> </td> <td style="height: 71px;" width="191"> <p>Develop Capabilities: Malware</p> </td> <td style="height: 71px;" width="225"> <p>Gelsemium develops its own custom malware.</p> </td> </tr> <tr style="height: 71px;"> <td style="height: 71px;" width="113"> <p><strong>Execution</strong></p> </td> <td style="height: 71px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1059/004">T1059.004</a></p> </td> <td style="height: 71px;" width="191"> <p>Command-Line Interface: Unix Shell</p> </td> <td style="height: 71px;" width="225"> <p>Gelsemium malware is capable of executing Linux shell commands.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 368px;" rowspan="4" width="113"> <p><strong>Persistence</strong></p> </td> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1037/004">T1037.004</a></p> </td> <td style="height: 92px;" width="191"> <p>Boot or Logon Initialization Scripts: RC Scripts</p> </td> <td style="height: 92px;" width="225"> <p>The WolfsBane launcher remains persistent on the system by using RC startup scripts.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1543/002">T1543.002</a></p> </td> <td style="height: 92px;" width="191"> <p>Create or Modify System Process: Systemd Service</p> </td> <td style="height: 92px;" width="225"> <p>The WolfsBane dropper can create a new system service for persistence.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1574/006">T1574.006</a></p> </td> <td style="height: 92px;" width="191"> <p>Hijack Execution Flow: Dynamic Linker Hijacking</p> </td> <td style="height: 92px;" width="225"> <p>The WolfsBane Hider rootkit abuses the <span style="font-family: courier new, courier, monospace;">ld.so.preload</span> preload technique.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1547/013">T1547.013</a></p> </td> <td style="height: 92px;" width="191"> <p>Boot or Logon Autostart Execution: XDG Autostart Entries</p> </td> <td style="height: 92px;" width="225"> <p>The FireWood backdoor persists on the system by creating the <span style="font-family: courier new, courier, monospace;">gnome-control.desktop</span> autostart file.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 184px;" rowspan="2" width="113"> <p><strong>Privilege Escalation</strong></p> </td> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1546/004">T1546.004</a></p> </td> <td style="height: 92px;" width="191"> <p>Event Triggered Execution: .bash_profile and .bashrc</p> </td> <td style="height: 92px;" width="225"> <p>The WolfsBane dropper tampers with various shell configuration files to achieve persistence.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1548/001">T1548.001</a></p> </td> <td style="height: 92px;" width="191"> <p>Abuse Elevation Control Mechanism: Setuid and Setgid</p> </td> <td style="height: 92px;" width="225"> <p>Gelsemium uses a simple tool abusing setuid and setguid for keeping escalated privileges.</p> </td> </tr> <tr style="height: 71px;"> <td style="height: 673px;" rowspan="8" width="113"> <p><strong>Defense Evasion</strong></p> </td> <td style="height: 71px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1070/004">T1070.004</a></p> </td> <td style="height: 71px;" width="191"> <p>Indicator Removal: File Deletion</p> </td> <td style="height: 71px;" width="225"> <p>The WolfsBane dropper removes itself.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1070/006">T1070.006</a></p> </td> <td style="height: 92px;" width="191"> <p>Indicator Removal: Timestomp</p> </td> <td style="height: 92px;" width="225"> <p>The FireWood backdoor has a command for modifying the MAC time of files.</p> </td> </tr> <tr style="height: 71px;"> <td style="height: 71px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1070/009">T1070.009</a></p> </td> <td style="height: 71px;" width="191"> <p>Indicator Removal: Clear Persistence</p> </td> <td style="height: 71px;" width="225"> <p>The WolfsBane dropper removes itself from disk.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1564/001">T1564.001</a></p> </td> <td style="height: 92px;" width="191"> <p>Hide Artifacts: Hidden Files and Directories</p> </td> <td style="height: 92px;" width="225"> <p>Both the WolfsBane and FireWood backdoors are located/installed in hidden folders.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1222/002">T1222.002</a></p> </td> <td style="height: 92px;" width="191"> <p>File Permissions Modification: Linux and Mac File and Directory Permissions Modification</p> </td> <td style="height: 92px;" width="225"> <p>The WolfsBane dropper uses Linux chmod commands to modify permissions of dropped executables.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1027/009">T1027.009</a></p> </td> <td style="height: 92px;" width="191"> <p>Obfuscated Files or Information: Embedded Payloads</p> </td> <td style="height: 92px;" width="225"> <p>The WolfsBane dropper has all its payloads compressed and embedded.</p> </td> </tr> <tr style="height: 71px;"> <td style="height: 71px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1014">T1014</a></p> </td> <td style="height: 71px;" width="191"> <p>Rootkit</p> </td> <td style="height: 71px;" width="225"> <p>Both WolfsBane and FireWood malware utilize rootkits for evasion.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1036/005">T1036.005</a></p> </td> <td style="height: 92px;" width="191"> <p>Masquerading: Match Legitimate Name or Location</p> </td> <td style="height: 92px;" width="225"> <p>Gelsemium often names its malware to match legitimate files and folders.</p> </td> </tr> <tr style="height: 71px;"> <td style="height: 163px;" rowspan="2" width="113"> <p><strong>Discovery</strong></p> </td> <td style="height: 71px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1082">T1082</a></p> </td> <td style="height: 71px;" width="191"> <p>System Information Discovery</p> </td> <td style="height: 71px;" width="225"> <p>The WolfsBane dropper enumerates system information.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1083">T1083</a></p> </td> <td style="height: 92px;" width="191"> <p>File and Directory Discovery</p> </td> <td style="height: 92px;" width="225"> <p>The FireWood backdoor is capable of searching in the machine file system for specified files and folders.</p> </td> </tr> <tr style="height: 71px;"> <td style="height: 71px;" width="113"> <p><strong>Collection</strong></p> </td> <td style="height: 71px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1056">T1056</a></p> </td> <td style="height: 71px;" width="191"> <p>Input Capture</p> </td> <td style="height: 71px;" width="225"> <p>The SSH password stealer captures user credentials.</p> </td> </tr> <tr style="height: 92px;"> <td style="height: 92px;" width="113"> <p><strong>Exfiltration</strong></p> </td> <td style="height: 92px;" width="113"> <p><a href="https://attack.mitre.org/versions/v15/techniques/T1041">T1041</a></p> </td> <td style="height: 92px;" width="191"> <p>Exfiltration Over C2 Channel</p> </td> <td style="height: 92px;" width="225"> <p>The FireWood backdoor exfiltrates collected data utilizing C&amp;C communications.</p> </td> </tr> </tbody> </table></p> <p><a href="https://www.eset.com/int/business/services/threat-intelligence/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine&amp;sfdccampaignid=7011n0000017htTAAQ" target="_blank" rel="noopener"><img src="https://web-assets.esetstatic.com/wls/2023/2023-12/welivesecurity-eset-threat-intelligence.jpeg" alt="" width="915" height="296" /></a></p> </div> <div class="article-subscribe-form mb-4"> <hr /> <div class="form-wrapper"> <div class="overlay"> <h2 class="title"> Let us keep you <br class='d-md-none'>up to date </h2> <p class="subtitle"> Sign up for our newsletters </p> <div class="form"> <form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter px-0" target="_blank" method="post" role="search"> <div class="search-input clearfix"> <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Your Email Address" required> <input type="checkbox" id="TOPIC" name="TOPIC" value="We Live Security Ukraine Newsletter"> <label for="TOPIC">Ukraine Crisis newsletter</label> <input type="checkbox" id="NEWSLETTER" name="NEWSLETTER" value="We Live Security"> <label for="NEWSLETTER">Regular weekly newsletter</label> <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3"> <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY"> <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0"> <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="0"> <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form"> <button type="submit" class="redirect-button primary">Subscribe</button> </div> </form> </div> </div> <svg class="wave-overlay" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 600 201.7451"><g><path class="cls-1" d="m600,0v176.576c0,13.8934-11.2757,25.1691-25.1691,25.1691H25.1691c-13.9034,0-25.1691-11.2757-25.1691-25.1691v-110.6331c36.0722,38.8207,82.2223,71.8325,145.2255,88.6052.0402,0,.0805.0101.1107.0301,0,0,.0906,0,.1107.0302,108.7605,28.9444,198.3321-8.95,271.9366-49.865l29.5585-16.9537L600,0Z" /></g></svg></div> </div> <div class="d-block"> <div class="post-related-articles"> <h4 class="articles-title-divider py-4 my-2"> Related Articles </h4> <div class="articles-card-grid row g-0 pb-2 pb-md-3"><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/podcasts/eset-research-podcast-gamaredon/" title="ESET Research Podcast: Gamaredon"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">ESET Research Podcast: Gamaredon</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/11-2024/cyberespionage-gamaredon-way.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/11-2024/cyberespionage-gamaredon-way.jpeg" alt="ESET Research Podcast: Gamaredon" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">ESET Research Podcast: Gamaredon</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/" title="Life on a crooked RedLine: Analyzing the infamous infostealer’s backend"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Life on a crooked RedLine: Analyzing the infamous infostealer’s backend</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/11-2024/redline/redline-stealer-infostealer-malware.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/11-2024/redline/redline-stealer-infostealer-malware.jpeg" alt="Life on a crooked RedLine: Analyzing the infamous infostealer’s backend" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Life on a crooked RedLine: Analyzing the infamous infostealer’s backend</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/eset-research/eset-apt-activity-report-q2-2024-q3-2024/" title="ESET APT Activity Report Q2 2024–Q3 2024"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research, Threat Reports</p><p class="title">ESET APT Activity Report Q2 2024–Q3 2024</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/10-2024/eset-apt-activity-report-q22024-q32024.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/10-2024/eset-apt-activity-report-q22024-q32024.jpeg" alt="ESET APT Activity Report Q2 2024–Q3 2024" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research, Threat Reports</p><p class="title">ESET APT Activity Report Q2 2024–Q3 2024</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div></div></div> </div> </div> <div class="sidebar col col-lg-4 ps-5 d-none d-lg-block position-sticky"> <div class="sticky-top sticky-top--container"> <div class="short-articles-section"> <h3 class="articles-title-divider short-aticles-title pb-4"> Similar Articles </h3> <div class="articles"> <div class="article-list-card"><a href="/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/" title="NSPX30: A sophisticated AitM-enabled implant evolving since 2005"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="text-card col-9 col-sm-10 col-md-9"><div class="article-list-card-title"><p class="category text-uppercase">ESET research</p><p class="title">NSPX30: A sophisticated AitM-enabled implant evolving since 2005</p></div></div><div class="image-card col-3 col-sm-2 col-md-3"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x45/wls/2024/1-2024/nspx30/nspx30-aitm-implant-blackwood-apt-eset-threat-research.jpeg" media="(max-width: 768px)" /><img class="article-list-image mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x82/wls/2024/1-2024/nspx30/nspx30-aitm-implant-blackwood-apt-eset-threat-research.jpeg" alt="NSPX30: A sophisticated AitM-enabled implant evolving since 2005" /></picture></div></div></div></div></a></div> <hr> <div class="article-list-card"><a href="/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/" title="Operation NightScout: Supply-chain attack targets online gaming in Asia"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="text-card col-9 col-sm-10 col-md-9"><div class="article-list-card-title"><p class="category text-uppercase">ESET research</p><p class="title">Operation NightScout: Supply-chain attack targets online gaming in Asia</p></div></div><div class="image-card col-3 col-sm-2 col-md-3"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x45/wls/2021/02/operation-nightscout-gaming-asia-supply-chain.jpg" media="(max-width: 768px)" /><img class="article-list-image mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x82/wls/2021/02/operation-nightscout-gaming-asia-supply-chain.jpg" alt="Operation NightScout: Supply-chain attack targets online gaming in Asia" /></picture></div></div></div></div></a></div> <hr> <div class="article-list-card"><a href="/2021/06/09/gelsemium-when-threat-actors-go-gardening/" title="Gelsemium: When threat actors go gardening"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="text-card col-9 col-sm-10 col-md-9"><div class="article-list-card-title"><p class="category text-uppercase">ESET research</p><p class="title">Gelsemium: When threat actors go gardening</p></div></div><div class="image-card col-3 col-sm-2 col-md-3"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x45/wls/2021/06/gelsemium-apt-eset-malware-research.jpg" media="(max-width: 768px)" /><img class="article-list-image mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x82/wls/2021/06/gelsemium-apt-eset-malware-research.jpg" alt="Gelsemium: When threat actors go gardening" /></picture></div></div></div></div></a></div> <hr> </div> </div> <div class="pb-4"> <div class="share-article-card"> <div class="sidebar-card-media"> <div class="mb-3"> <h3 class="articles-title-divider">Share Article</h3> </div> <div class="medias"> <a href="https://www.facebook.com/sharer/sharer.php?u&#x3D;https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/" title="Facebook" > <svg id="Layer_2" fill="#949ca1" class="facebook" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m30.9623,26.8125l.8054-5.2483h-5.0359v-3.4058c0-1.4358.7035-2.8354,2.9589-2.8354h2.2894v-4.4684s-2.0776-.3546-4.064-.3546c-4.1472,0-6.858,2.5137-6.858,7.0642v4h-4.61v5.2483h4.61v12.6875h5.6737v-12.6875h4.2305Z" /></g></svg> </a> <a href="https://www.linkedin.com/shareArticle?mini&#x3D;true&amp;url&#x3D;https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/" title="LinkedIn" > <svg id="Layer_2" fill="#949ca1" class="linkedin" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m18.7686,35.9995h-4.9757v-16.0232h4.9757v16.0232Zm-2.4905-18.2089c-1.5911,0-2.8816-1.3179-2.8816-2.9089.0002-1.5915,1.2906-2.8814,2.882-2.8812,1.5911.0002,2.881,1.29,2.8812,2.8812,0,1.5911-1.2911,2.9089-2.8816,2.9089Zm21.113,18.2089h-4.965v-7.8c0-1.8589-.0375-4.2429-2.587-4.2429-2.587,0-2.9834,2.0196-2.9834,4.1089v7.9339h-4.9704v-16.0232h4.7721v2.1857h.0696c.6643-1.2589,2.287-2.5875,4.7079-2.5875,5.0357,0,5.9614,3.3161,5.9614,7.6232v8.8018h-.0054Z" /></g></svg> </a> <a href="https://twitter.com/intent/tweet?url&#x3D;https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/" title="Twitter" > <svg id="Layer_2" fill="#949ca1" class="twitter" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="twitter"><g id="Layer_2-3"><g id="Research_icons"><path id="twitter-2" fill="white"d="m36.0847,16.9564c1.1786-.1395,2.3298-.4543,3.4153-.934-.7998,1.1935-1.8049,2.2357-2.9686,3.0783v.7675c0,7.8581-5.9779,16.9184-16.9184,16.9184-3.2314.004-6.3954-.9238-9.113-2.6722.4703.0571.9436.0856,1.4173.0853,2.6784.0044,5.2803-.8925,7.3871-2.5463-2.5446-.0467-4.7777-1.7068-5.5555-4.1301.3681.0703.742.1056,1.1168.1056.5293,0,1.0564-.0696,1.5676-.2071-2.775-.5608-4.7696-3.0006-4.7677-5.8317v-.0731c.826.4573,1.7488.712,2.6925.7432-2.6116-1.7476-3.4122-5.2258-1.8275-7.9394,3.0149,3.7157,7.4653,5.9771,12.2441,6.2215-.7617-3.1963,1.2119-6.4049,4.4082-7.1666,2.0894-.4979,4.285.1691,5.7444,1.7451,1.3319-.2639,2.6091-.7528,3.7768-1.4457-.4477,1.3745-1.3782,2.5402-2.6194,3.2813Z" /></g></g></g></g></svg> </a> <a href="mailto:?&amp;subject&#x3D;I wanted you to see this site&amp;body&#x3D;https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/" title="mail" > <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path id="Path_7761" fill="white"d="m13.1593,14.9378c-.2808,0-.5616.0936-.8424.1872l11.8875,11.5131c.3744.468,1.0296.468,1.404.0936.0936,0,.0936-.0936.0936-.0936l12.0747-11.5131c-.2808-.0936-.5616-.1872-.7488-.1872H13.1593Zm-2.1529,1.9656v15.8188c-.0936,1.2168.8424,2.2465,2.0593,2.3401h23.8686c1.2168-.0936,2.1529-1.1232,2.0593-2.3401v-15.7252l-11.7939,11.3259c-1.2168,1.2168-3.1825,1.2168-4.3057,0l-11.8875-11.4195Z" /></g></svg> </a> <a href="https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/" title="copy" class="copy-link" > <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m32.2813,27.4375l3.7-3.7c2.7-2.7,2.7-7,0-9.7-2.7-2.7-7-2.7-9.7,0h0l-5.3,5.3c-2.7,2.7-2.7,7,0,9.7.4.4.8.7,1.3,1l2.8-2.8c-.6-.1-1.1-.4-1.5-.8-1.2-1.2-1.2-3.2,0-4.4l5.3-5.3c1.3-1.2,3.2-1.1,4.4.1,1.1,1.2,1.1,3.1,0,4.3l-1.6,1.6c.7,1.4.9,3.1.6,4.7h0Zm-14.7-4.7l-3.6,3.6c-2.7,2.7-2.6,7,0,9.7,2.7,2.6,6.9,2.6,9.6,0l5.3-5.3c2.7-2.7,2.7-7,0-9.7-.4-.4-.8-.7-1.3-1l-2.8,2.8c1.7.4,2.7,2.1,2.3,3.7-.1.6-.4,1.1-.8,1.5l-5.3,5.4c-1.2,1.3-3.1,1.3-4.4.1-1.3-1.2-1.3-3.1-.1-4.4,0-.1.1-.1.1-.1l1.6-1.5c-.7-1.6-.9-3.2-.6-4.8h0Z" /></g></svg> </a> </div> </div> </div> </div> <div class="pb-4"> <a class="d-block sidebar-card-banner" href="https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2024-q3-2024/" title="Apt Activity Report" target="_blank"> <img src="https://www.welivesecurity.com/build/assets/eset-apt-activity-report-q2-2024-q3-2024-d75a59c4.webp" alt="Apt Activity Report" class="w-100" > </a> </div> </div> </div> </div> <div class="row"> <div class="col col-lg-8 pe-lg-0"> <div class="my-4"> <h3 class="articles-title-divider">Discussion</h3> </div> <div id="disqus_thread"></div> </div> </div> </div> </div> <!-- footer --> <footer class="page-footer"> <div class="container"> <div class="row g-0"> <div class="col page-info-wrapper"> <div class="logo-wrapper"> <div class="logo"> <a href="/en/" title="Welivesecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> </div> </div> <div class="page-info"> <p> Award-winning news, views, and insight from the ESET security community </p> </div> </div> <div class="col footer-links"> <a href="/en/company/about-us/" title="About us" >About us</a> <a href="https://www.eset.com" title="ESET" >ESET</a> <a href="/en/company/contact-us/" title="Contact us" >Contact us</a> <a href="/en/company/privacy/" title="Privacy Policy" >Privacy Policy</a> <a href="/en/company/legal-information/" title="Legal Information" >Legal Information</a> <a href="/en/#" title="Manage Cookies" id="manage-cookies" onclick="event.preventDefault()" >Manage Cookies</a> <a href="/en/rss/feed/" title="RSS Feed" >RSS Feed</a> </div> <div class="col social-networks"> <a href="https://www.facebook.com/eset/" title="Join our facebook fan site!"> <svg id="Layer_2" fill="#949ca1" class="facebook" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m30.9623,26.8125l.8054-5.2483h-5.0359v-3.4058c0-1.4358.7035-2.8354,2.9589-2.8354h2.2894v-4.4684s-2.0776-.3546-4.064-.3546c-4.1472,0-6.858,2.5137-6.858,7.0642v4h-4.61v5.2483h4.61v12.6875h5.6737v-12.6875h4.2305Z" /></g></svg> </a> <a href="https://youtube.com/esetglobal" title="Watch our videos at YouTube Channel."> <svg id="Layer_2" fill="#949ca1" class="youtube" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="Layer_1-2"><g id="youtube"><g id="SOCIAL_MEDIA"><path id="youtube-2" fill="white"d="m39.3741,17.7792c-.3492-1.2938-1.3598-2.3044-2.6536-2.6536-2.3399-.625-11.7206-.625-11.7206-.625,0,0-9.3745,0-11.7206.625-1.2941.3485-2.305,1.3594-2.6536,2.6536-.4319,2.3823-.6412,4.7997-.6249,7.2208-.0162,2.4211.193,4.8385.625,7.2208.3478,1.2946,1.359,2.3058,2.6536,2.6536,2.3399.625,11.7206.625,11.7206.625,0,0,9.3807,0,11.7206-.625,1.2942-.3485,2.3051-1.3594,2.6536-2.6536.4315-2.3824.6408-4.7997.625-7.2208.0158-2.4211-.1934-4.8384-.625-7.2208h0Zm-17.374,11.7205v-8.9994l7.7933,4.4997-7.7933,4.4997Z" /></g></g></g></g></svg> </a> <a href="https://twitter.com/ESET" title="Visit the official WLS Twitter page."> <svg id="Layer_2" fill="#949ca1" class="twitter" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="twitter"><g id="Layer_2-3"><g id="Research_icons"><path id="twitter-2" fill="white"d="m36.0847,16.9564c1.1786-.1395,2.3298-.4543,3.4153-.934-.7998,1.1935-1.8049,2.2357-2.9686,3.0783v.7675c0,7.8581-5.9779,16.9184-16.9184,16.9184-3.2314.004-6.3954-.9238-9.113-2.6722.4703.0571.9436.0856,1.4173.0853,2.6784.0044,5.2803-.8925,7.3871-2.5463-2.5446-.0467-4.7777-1.7068-5.5555-4.1301.3681.0703.742.1056,1.1168.1056.5293,0,1.0564-.0696,1.5676-.2071-2.775-.5608-4.7696-3.0006-4.7677-5.8317v-.0731c.826.4573,1.7488.712,2.6925.7432-2.6116-1.7476-3.4122-5.2258-1.8275-7.9394,3.0149,3.7157,7.4653,5.9771,12.2441,6.2215-.7617-3.1963,1.2119-6.4049,4.4082-7.1666,2.0894-.4979,4.285.1691,5.7444,1.7451,1.3319-.2639,2.6091-.7528,3.7768-1.4457-.4477,1.3745-1.3782,2.5402-2.6194,3.2813Z" /></g></g></g></g></svg> </a> <a href="https://www.linkedin.com/company/eset" title="Follow us on LinkedIn."> <svg id="Layer_2" fill="#949ca1" class="linkedin" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m18.7686,35.9995h-4.9757v-16.0232h4.9757v16.0232Zm-2.4905-18.2089c-1.5911,0-2.8816-1.3179-2.8816-2.9089.0002-1.5915,1.2906-2.8814,2.882-2.8812,1.5911.0002,2.881,1.29,2.8812,2.8812,0,1.5911-1.2911,2.9089-2.8816,2.9089Zm21.113,18.2089h-4.965v-7.8c0-1.8589-.0375-4.2429-2.587-4.2429-2.587,0-2.9834,2.0196-2.9834,4.1089v7.9339h-4.9704v-16.0232h4.7721v2.1857h.0696c.6643-1.2589,2.287-2.5875,4.7079-2.5875,5.0357,0,5.9614,3.3161,5.9614,7.6232v8.8018h-.0054Z" /></g></svg> </a> <a href="https://www.welivesecurity.com/rss-configurator/" title="Don´t miss a single post!"> <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="rss"><g id="SOCIAL_MEDIA"><path id="rss-2" fill="white"d="m16.9299,36.9089c-1.8039-.0139-3.255-1.4876-3.2411-3.2915.0139-1.8039,1.4876-3.255,3.2915-3.2411,1.7931.0138,3.2398,1.4706,3.2412,3.2638-.006,1.8113-1.4791,3.2748-3.2904,3.2688-.0004,0-.0008,0-.0012,0Zm12.6168,0c-.0331-8.7521-7.1549-15.8203-15.907-15.7872h-.0014v4.6272c6.1869-.0232,11.2214,4.9731,11.2452,11.16h4.6632Zm8.0916,0c-.0503-13.2044-10.7953-23.8679-23.9997-23.8176-.0001,0-.0002,0-.0003,0v4.7628c10.5637-.0398,19.1597,8.4911,19.2,19.0548h4.8Z" /></g></g></g></svg> </a> </div> </div> <div class="row g-0"> <div class="col copyright"> Copyright © ESET, All Rights Reserved </div> </div> </div> </footer> </div> <!-- scripts --> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/app-7a4ecde0.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/app-7a4ecde0.js"></script> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/search-7d9f58b7.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/_commonjsHelpers-042e6b4d.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/search-7d9f58b7.js"></script> <script> var disqus_config = function () { this.page.url = "https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/"; this.page.identifier = "Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine"; this.page.title = "30922"; this.language = "en"; }; (function() { var d = document, s = d.createElement('script'); s.src = 'https://welivesecurity.disqus.com/embed.js'; s.setAttribute('data-timestamp', +new Date()); (d.head || d.body).appendChild(s); })(); </script> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/prism-40494b65.css" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/prism-40d1b0a4.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/_commonjsHelpers-042e6b4d.js" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/prism-40494b65.css" /><script type="module" src="https://www.welivesecurity.com/build/assets/prism-40d1b0a4.js"></script> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/article-e3625c4c.css" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/article-98874652.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/table-wrapper-135558d1.js" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/article-e3625c4c.css" /><script type="module" src="https://www.welivesecurity.com/build/assets/article-98874652.js"></script></body> </html>