Connect with us

Hi, what are you looking for?



Stealthy APT Gelsemium Seen Targeting Southeast Asian Government

A stealthy APT known as Gelsemium has been observed targeting a government entity in Southeast Asia for persistence and intelligence collection.

A stealthy advanced persistent threat (APT) actor known as Gelsemium has been observed targeting a government entity in Southeast Asia to establish persistence and collect intelligence, cybersecurity firm Palo Alto Networks reveals.

As part of the observed activity, spanning over a period of six months in late 2022 and into 2023, the threat actor deployed a variety of web shells to support lateral movement and malware delivery, along with backdoors, a Cobalt Strike beacon, and various other tools.

Palo Alto Networks did not make any claims regarding attribution, but noted that others linked Gelsemium to China in the past. 

The cybersecurity firm identified three web shells used in these attacks, namely reGeorg, China Chopper, and AspxSpy (publicly available). In some instances, the threat actor deployed a shell-like tool to run additional commands, and several privilege escalation tools.

At the next step, malware such as OwlProxy, SessionManager, a Cobalt Strike beacon, SpoolFool, and EarthWorm was deployed to ensure persistence in the compromised environment. To check systems’ internet connectivity, the attackers pinged a known Chinese web portal.

SessionManager is a custom backdoor for Internet Information Services (IIS) that allows attackers to run commands, download and upload files, and use the web server as a proxy, based on commands received via inbound HTTP requests.

As part of the observed activity, Gelsemium unsuccessfully attempted to deploy SessionManager on victims’ network, Palo Alto Networks says.

Another custom tool, OwlProxy is an HTTP proxy that also has backdoor functionality, and which was previously used in attacks targeting governments in East Asia and the Middle East.

Advertisement. Scroll to continue reading.

During the observed attack, after OwProxy’s deployment was blocked, the attackers attempted to use a replacement tool called EarthWorm, a publicly available SOCKS tunneler used by various Chinese threat actors in malicious attacks.

Gelsemium deployed EarthWorm to create a tunnel between their command-and-control (C&C) and the local area network.

For privilege escalation, the attackers used the Potato Suite (which includes the JuicyPotato, BadPotato, and SweetPotato tools), along with SpoolFool, a publicly available proof-of-concept (PoC) exploit targeting CVE-2022-21999 (a Windows Print Spooler bug).

Based on the unique combination of malware used in these attacks, such as SessionManager and OwlProxy, Palo Alto Networks believes that the observed activity can be attributed to the Gelsemium APT group.

Active since at least 2014, the group is known for the targeting of education, government, electronics manufacturers, and religious organizations, mainly in East Asia and the Middle East. The APT was seen targeting South Eastern governments as well.

Related: New ‘GoldenJackal’ APT Targets Middle East, South Asia Governments

Related: New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware

Related: Ivanti Zero-Day Exploited by APT Since at Least April in Norwegian Government Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...