ESET researchers have uncovered two new Linux backdoors, WolfsBane and FireWood, associated with the Gelsemium advanced persistent threat (APT) group aligned with China. This marks the first known instance of Gelsemium utilizing Linux malware. Additionally, the FireWood backdoor is tentatively linked to Gelsemium, with low confidence, as it could be shared amongst various Chinese APT groups. The backdoors and tools discovered target cyberespionage for sensitive data, employing persistent access and covert command execution. This shift towards targeting Linux systems by APT groups may be due to enhanced Windows security measures. The technical analysis dives deeper into the functionality and structure of these backdoors, shedding light on their operations.
https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/