Samples of WolfsBane were found on VirusTotal, uploaded from Taiwan, the Philippines, and Singapore, suggesting a coordinated effort to exploit vulnerabilities in these regions.

The trend of APT groups shifting focus to Linux malware reflects broader changes in the cybersecurity landscape, influenced by advancements in detection and response capabilities.

Gelsemium's use of these Linux backdoors highlights a growing trend in the APT ecosystem, where Linux-based vulnerabilities are increasingly exploited for cyber espionage.

The advanced persistent threat (APT) group Gelsemium, which has been active since 2014 and is aligned with China, has recently been identified using Linux malware for the first time.

The rise of Linux malware is driven by enhanced security measures on Windows systems, prompting threat actors to seek new attack vectors, particularly in internet-facing Linux systems.

Over the past year, approximately 32% of malware infections have targeted Linux systems, indicating a notable increase in both the volume and sophistication of these attacks.

The primary objective of WolfsBane is cyber espionage, targeting sensitive data such as user credentials and system information, while enabling stealthy command execution.

FireWood, while loosely linked to Gelsemium, also facilitates long-term espionage and includes capabilities for file operations and data exfiltration.

Both backdoors share similarities in their command execution mechanisms and utilize custom libraries for network communication, enhancing their stealth and effectiveness.

This marks a significant operational shift for Gelsemium, as they adapt their cyber espionage tactics to target Linux systems, which have become increasingly popular in enterprise environments.

ESET researchers have identified two new Linux backdoors, WolfsBane and FireWood, which are designed for maintaining persistent access and executing commands stealthily.

WolfsBane employs a three-stage execution chain consisting of a dropper, a launcher, and the backdoor itself, utilizing a modified open-source userland rootkit to conceal its activities.