Gelsemium  (Back to overview)

aka: 狼毒草

The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three components of this malware family.

Associated Families

2022-06-30KasperskyPierre Delcher
@online{delcher:20220630:sessionmanager:f171df2, author = {Pierre Delcher}, title = {{The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact}}, date = {2022-06-30}, organization = {Kaspersky}, url = {}, language = {English}, urldate = {2022-07-05} } The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager
2021-06-09ESET ResearchThomas Dupuy, Matthieu Faou
@online{dupuy:20210609:gelsemium:34ccc46, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, organization = {ESET Research}, url = {}, language = {English}, urldate = {2021-06-16} } Gelsemium: When threat actors go gardening
2018-08-15Beijing Venus Information Security TechVenusEye
@techreport{venuseye:20180815:organization:e8a766a, author = {VenusEye}, title = {{APT organization Lemons Threat to Attack}}, date = {2018-08-15}, institution = {Beijing Venus Information Security Tech}, url = {}, language = {English}, urldate = {2021-06-16} } APT organization Lemons Threat to Attack
2016VerintPeikan Tsung
@techreport{tsung:2016:intelligencedriven:3fe2a67, author = {Peikan Tsung}, title = {{An Intelligence-Driven Approach to Cyber Defense}}, date = {2016}, institution = {Verint}, url = {}, language = {English}, urldate = {2021-06-21} } An Intelligence-Driven Approach to Cyber Defense
2014-10-31G DataG Data
@techreport{data:20141031:operation:9205b87, author = {G Data}, title = {{OPERATION “TOOHASH”: HOW TARGETED ATTACKS WORK}}, date = {2014-10-31}, institution = {G Data}, url = {}, language = {English}, urldate = {2020-01-08} } OPERATION “TOOHASH”: HOW TARGETED ATTACKS WORK
Cohhoc Gelsemium

Credits: MISP Project