China-linked hackers target Linux systems with new spying malware
A China-linked state-sponsored threat actor has been targeting Linux systems with previously unknown malware strains in a new espionage campaign, researchers have found.
The group — tracked as Gelsemium — has been active since at least 2014, primarily targeting victims in East Asia and the Middle East. In its latest campaign, which was likely focused on Taiwan, the Philippines, and Singapore, the hackers deployed Linux backdoors named WolfsBane and FireWood.
According to researchers at the Slovak-based cybersecurity firm ESET, this is likely the first time Gelsemium has targeted Linux systems. The first samples of the malware were uploaded to the VirusTotal repository in 2023.
To gain initial access to victims' devices, the hackers likely exploited an unknown web application vulnerability, researchers said. They did not provide much detail about the impact of the attacks or the identities of the victims.
WolfsBane is a Linux equivalent of Gelsemium’s backdoor for Windows, named Gelsevirine. FireWood, on the other hand, is similar to the backdoor named Project Wood, which was previously used against Windows systems. While WolfsBane is the group’s custom tool, FireWood may be shared among multiple China-aligned state hackers, researchers suggested.
The goal of the backdoors, along with other tools used in this campaign, is cyberespionage. They are designed to target sensitive data such as system information, user credentials, and specific files and directories, while evading detection.
The group’s targeting of Linux systems has raised particular interest among researchers who noted that Linux malware is becoming more popular among state hackers due to improvements in Windows security. Threat actors are also exploring new attack avenues, increasingly focusing on exploiting vulnerabilities in internet-facing systems, most of which run on Linux.
“This means that these Linux systems are becoming the new preferred targets for these adversaries,” ESET said.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.