ESET researchers have identified two Linux backdoors, WolfsBane and FireWood, linked to the China-aligned Gelsemium APT group. WolfsBane is the Linux counterpart of Gelsevirine, a Windows backdoor, and is attributed to Gelsemium with high confidence due to shared features like network communication libraries and command execution mechanisms. FireWood, however, shows similarities to Project Wood, another Windows backdoor, but its connection to Gelsemium remains uncertain, with attribution made only with low confidence. Both backdoors, alongside other tools like web shells and rootkits, target sensitive data and maintain persistent access, primarily for cyberespionage purposes.
The malware samples were likely discovered during incident responses in East Asia, with archives uploaded to VirusTotal from Taiwan, the Philippines, and Singapore. WolfsBane’s execution chain involves a dropper, launcher, and backdoor, while FireWood integrates kernel modules for process hiding and uses TEA-encrypted C&C communications. The tools found also include a trojanized SSH client and web shells designed for remote control and data exfiltration. These backdoors represent Gelsemium’s first known use of Linux malware, reflecting an adaptation to evolving security measures in Windows environments.