The rise of malware targeting Linux systems reflects a broader trend in the APT ecosystem, driven by enhanced Windows security measures and a search for new attack vectors, particularly in internet-facing systems.

ESET highlights a growing trend where APT groups, including Gelsemium, are increasingly exploiting Linux-based vulnerabilities, indicating a notable operational shift.

Over the past year, approximately 32% of malware infections have targeted Linux systems, showcasing a significant rise in both the volume and sophistication of attacks.

WolfsBane is identified as a Linux counterpart to the Gelsevirine backdoor, which has been active since at least 2014 and primarily targets Windows systems.

WolfsBane employs a modified open-source userland rootkit named BEURK to conceal its activities and execute commands from an attacker-controlled server.

A new Linux backdoor named 'WolfsBane' has been discovered, believed to be a port of Windows malware used by the Chinese hacking group 'Gelsemium', marking the first documented use of Linux malware by this group.

FireWood, another Linux-ported backdoor, features a kernel-level rootkit and is connected to the historical 'Project Wood' backdoor lineage dating back to 2005.

The primary objective of these backdoors is cyber espionage, aimed at gathering sensitive information such as system data, user credentials, and specific files or directories.

Multiple samples of WolfsBane were uploaded to VirusTotal from locations including Taiwan, the Philippines, and Singapore, likely linked to a compromised server incident.

WolfsBane allows operators to gain complete control over infected systems, enabling them to execute commands, exfiltrate data, and manipulate the system remotely.

Most of Gelsemium's victims are located in East Asia and the Middle East, reflecting the group's targeted approach in its cyber espionage efforts.

The exact method of initial access for these attacks remains unclear, but it is suspected that Gelsemium exploited an unknown web application vulnerability to establish persistent remote access using web shells.