FireWood

Aliases

Project Wood (Windows)

Tags

BackdoorLinuxRootkit

Incidents

Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood

References

https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware/

Last edited

Feb 19, 2025 2:40 PM

FireWood is a Linux-based backdoor malware associated with the Chinese advanced persistent threat (APT) group Gelsemium. It serves as a successor to the Windows-based Project Wood backdoor, enabling attackers to maintain persistent access to compromised Linux systems. FireWood incorporates a kernel-level rootkit, specifically the 'usbdev.ko' module, to conceal its malicious activities by hiding processes and files. Its primary functions include executing commands from a command-and-control (C2) server, exfiltrating sensitive data, and facilitating cyber-espionage operations.