Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

APT

Is Gelsemium APT behind a targeted attack in Southeast Asian Government?

A stealthy APT group tracked as Gelsemium was observed targeting a Southeast Asian government between 2022 and 2023. Palo Alto Unit42 researchers an APT group tracked as Gelsemium targeting a Southeast Asian government. The experts tracked the cluster as CL-STA-0046, the malicious activity spanned over six months between 2022-2023. The activity was characterized by the […]

Gelsemium APT

A stealthy APT group tracked as Gelsemium was observed targeting a Southeast Asian government between 2022 and 2023.

Palo Alto Unit42 researchers an APT group tracked as Gelsemium targeting a Southeast Asian government.

The experts tracked the cluster as CL-STA-0046, the malicious activity spanned over six months between 2022-2023.

The activity was characterized by the use of a combination of rare tools and techniques to gain access to the target network and collect intelligence from sensitive IIS server.

Gelsemium is a group focused on cyberespionage that has been active since at least 2014. The previous campaigns associated with this group targeted government, education, and electronic manufacturers in East Asia and the Middle East.

The activity of the group was described by ESET in June 2021, the experts pointed out that the group’s abilities allowed the APT to remain mostly under the radar.

Gelsemium APT

The APT group was observed using an array of web shells along with the OwlProxy and SessionManager backdoors.

The threat actor leveraged several web shells for initial access to a compromised web server, including reGeorg, China Chopper, and the AspxSpy web shell. The experts noticed that one of the AspxSpy web shells employed by Gelsemium was reportedly used by Iron Taurus (aka APT 27) for the operation Iron Tiger in 2015.

The group also used web shells to perform basic network reconnaissance, moved laterally via SMB, and fetched additional tools. Threat actors also used additional tools, including OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm.

During Unit42’s investigation, the experts observed several unsuccessful attempts to install a variant of the custom backdoor SessionManger on a compromised web server.

OwlProxy is a unique and custom tool used by the group. OwlProxy is an HTTP proxy with backdoor functionality, it was first spotted in April 2020 in an attack targeting the Taiwanese government.

“Unit 42 assesses with moderate confidence that the activity observed in CL-STA-0046 is associated with the Gelsemium APT group. This assessment is based on the unique combination of malware that attackers used in CL-STA-0046, namely the SessionManager IIS backdoor and OwlProxy.” concludes Palo Alto Networks. “CL-STA-0046 is one of three clusters that we observed targeting the government sector in a country in Southeast Asia. Unit 42 associates the activity observed by the threat actor behind CL-STA-0046 to the Gelsemium APT group with a moderate level of confidence.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gelsemium APT)