Gelsemium is an Advanced Persistent Threat (APT) group whose campaigns can be traced back to 2014. The criminals use a wide range of malware, including a custom-built implant called Gelsevirine. They have been behind several attacks against targets in the Middle East and Eastern Asia, but the most notable of them is the supply-chain attack against BigNox. The Gelsemium APT criminals focus on several sectors – government, education, electronics and even religious organizations. The primary goal of their attacks is long-term espionage and data exfiltration from the compromised networks.
Typically, a Gelsemium APT attack follows a multi-stage process. Ultimately, its infection ends with the deployment of the Gelsevirine implant, which packs all the features that the criminals would need to accomplish their goals. However, prior to this, they may use a small, custom Trojan dropper (Gelsemine) and loader (Gelsenicine) to ensure that the infection is completing without a hitch.
Gelsevirine is by far the most interesting thing to come from the developers that are part of the Gelsemium APT. This implant, referred to as MainPlugin internally, enables the execution of remote code, as well as the ability to exfiltrate data to the Command-and-Control server silently.
So far, the Gelsemium APT has been relatively difficult to research and analyze by experts since the criminals have targeted a very small number of victims, considering that they have been in the field for over seven years. Analysis of their implants and infrastructure shows minor overlaps with other known APT groups operating in Eastern Asia and the Middle East. However, there are not enough similarities to determine whether the Gelsemium APT is a sub-group of a more popular threat actor.