Gelsemium
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 25 attack patterns (mitre), 8 malware, 4 sectors, 7 countries, 63 indicators, 1 vulnerabilities (cve)
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
10 MITREs 1 Malware 1 APT
-
7 Malwares 41 Observables 1 APT
Attack patterns (MITRE) (25)
-
T1070 usesIndicator Removal MITRE
-
T1059 usesCommand and Scripting Interpreter MITRE
-
T1021 usesRemote Services MITRE
-
T1102 usesWeb Service MITRE
-
TA0043 uses
-
T1082 usesSystem Information Discovery MITRE
-
T1573 usesEncrypted Channel MITRE
-
T1112 usesModify Registry MITRE
-
T1090 usesProxy MITRE
-
T1014 usesRootkit MITRE
-
T1547 usesBoot or Logon Autostart Execution MITRE
-
T1027 usesObfuscated Files or Information MITRE
Malware (8)
-
Project Wood usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
WolfsBane usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ninja usesFamily The MITRE Corporation Confidence 100
[Ninja](https://attack.mitre.org/software/S1100) is a malware developed in C++ that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) to penetrate networks and control remote systems since at least 2020. [Ninja](https://attack.mitre.org/software/S1100) is possibly part…
First seen 01/01/1970 · Last seen 16/11/5138 · -
FireWood usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SessionManager usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
OwlProxy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Gelsemium usesFamily The MITRE Corporation Confidence 100
[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Gelsemium - S0666 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (4)
-
Manufacturing targets
-
Government targets
-
Technology targets
-
Defense ministries (including the military) targets
Countries (7)
-
Lao People's Democratic Republic targets
-
Viet Nam targets
-
Singapore targets
-
Iran, Islamic Republic of targets
-
Taiwan targets
-
Philippines targets
-
Russian Federation targets
Indicators (63)
-
stix 100/100 Revoked· Valid until 28/12/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 28/12/2024 · Source: AlienVault
-
stix 100/100· Valid until 11/08/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 28/12/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 18/11/2025 · Source: AlienVault
-
stix 100/100 Revoked
TEL:Exploit:Win32/ShellPdb.B
· Valid until 28/12/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 28/12/2024 · Source: AlienVault
-
stix 100/100· Valid until 11/08/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 28/12/2024 · Source: AlienVault
Vulnerabilities (CVE) (1)
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …
- Published
- 14/06/2022
- Modified
- 27/05/2026