Gelsemium
· Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
· Source: The MITRE Corporation
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 25 attack patterns (mitre), 8 malware, 4 sectors, 7 countries, 63 indicators, 1 vulnerabilities (cve)
Description
[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
10 MITREs 1 Malware 1 APT
-
7 Malwares 41 Observables 1 APT
Attack patterns (MITRE) (25)
-
T1070 usesIndicator Removal MITRE
-
T1059 usesCommand and Scripting Interpreter MITRE
-
T1021 usesRemote Services MITRE
-
T1102 usesWeb Service MITRE
-
TA0043 uses
-
T1082 usesSystem Information Discovery MITRE
-
T1573 usesEncrypted Channel MITRE
-
T1112 usesModify Registry MITRE
-
T1090 usesProxy MITRE
-
T1014 usesRootkit MITRE
-
T1547 usesBoot or Logon Autostart Execution MITRE
-
T1027 usesObfuscated Files or Information MITRE
Malware (8)
-
Project Wood usesFamily
-
WolfsBane usesFamily
-
Ninja uses
-
FireWood usesFamily
-
SessionManager uses
-
OwlProxy uses
-
Gelsemium uses
-
Gelsemium - S0666 usesFamily
Sectors (4)
-
Manufacturing targets
-
Government targets
-
Technology targets
-
Defense ministries (including the military) targets
Countries (7)
-
Lao People's Democratic Republic targets
-
Viet Nam targets
-
Singapore targets
-
Iran, Islamic Republic of targets
-
Taiwan targets
-
Philippines targets
-
Russian Federation targets
Indicators (63)
-
stix 100/100 Revoked· Valid until 18/11/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 18/11/2025 · Source: AlienVault
-
stix 100/100 Revoked
Trojan:Win32/Skeeyah.A!rfn
· Valid until 28/12/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 28/12/2024 · Source: AlienVault
-
www.sitesafecdn.dynamic-dns.netindicatesstix 100/100 Revoked· Valid until 27/10/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 18/11/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 28/12/2024 · Source: AlienVault
-
stix 100/100 Revoked
Backdoor:ASP/Ace.T
· Valid until 28/12/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 18/11/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 18/11/2025 · Source: AlienVault
Vulnerabilities (CVE) (1)
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …
- Published
- 14/06/2022
- Modified
- 27/05/2026