Cyberespionage Campaign Using New Linux Malware

ESET reveals Linux malware linked to China’s Gelsemium group, with WolfsBane and FireWood backdoors targeting sensitive data for cyberespionage.

ESET cybersecurity researchers have discovered a new type of malware designed for Linux systems, named “WolfsBane,” which they believe is connected to a Chinese hacker group called Gelsemium.

This group, known for its sophisticated attacks, has been active since 2014, primarily targeting Windows systems. This new malware marks the first time Gelsemium has been linked to Linux, a platform increasingly targeted by hackers, says ESET.

ESET reports that the WolfsBane backdoor is similar to an earlier malware, Gelsevirine, used by Gelsemium to gain unauthorized access to systems.

Both tools share key features, including the way they communicate with hacker-controlled servers, execute commands, and hide their presence within infected systems.

WolfsBane uses a specialized library and encryption methods to evade detection, allowing the hackers to monitor the victim’s system and steal sensitive information over an extended period without being noticed, says ESET.

Alongside WolfsBane, the researchers also found another backdoor named “FireWood,” which may also be linked to Gelsemium, though the connection is less certain.

FireWood shares similarities with malware used in past cyberattacks by the group, including its structure and encryption methods. However, due to the potential for shared tools among different hacker groups, the link to Gelsemium is not confirmed, says ESET.

ESET explains that these malware tools are designed for cyberespionage, allowing attackers to steal system data, credentials, and files.

The shift toward Linux malware comes as hackers look for new attack vectors after increased security measures on Windows systems, such as endpoint detection tools and changes to Microsoft’s email security. ESET points out that many internet-facing systems run on Linux, making them an attractive target for cybercriminals.

The malware was found in archives uploaded to VirusTotal, a service used by security experts to analyze suspicious files, and it appears to have been deployed on servers in Taiwan, the Philippines, and Singapore. The investigation suggests the hackers may have gained access to these servers through vulnerabilities in web applications.

While ESET researchers continue to analyze the malware, they have confirmed that the attackers use advanced techniques to maintain long-term access to compromised systems, making them difficult to detect and remove.

The discovery of WolfsBane and FireWood highlights the growing threat of Linux-targeted cyberattacks, underscoring the need for stronger security measures across all platforms.