Home > List all groups > Gelsemium

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Gelsemium

NamesGelsemium (ESET)
CountryChina China
MotivationInformation theft and espionage
First seen2014
Description(ESET) The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies .Gelsemium’s name comes from one possible translation we found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time .It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which we chose as names for the three components of this malware family.
ObservedSectors: Education, Gaming, Government, High-Tech and religious organizations.
Countries: China, Egypt, Hong Kong, Iran, Iraq, Israel, Japan, Jordan, Lebanon, Mongolia, North Korea, Oman, Saudi Arabia, South Korea, Sri Lanka, Syria, Taiwan, Turkey, Yemen, UAE.
Tools usedChrommme, Gelsemine, Gelsenicine, Gelsevirine, OwlProxy.
Operations performed2014Operation “TooHash”
Jan 2021Operation “NightScout”
A new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide.

Last change to this card: 15 June 2021

Download this actor card in PDF or JSON format

Previous: GCMAN
Next: GhostEmperor

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key