Security researchers have discovered two previously undocumented Linux backdoors named WolfsBane and FireWood, revealing new cyber espionage capabilities targeting sensitive data and system access.
The WolfsBane backdoor samples were found uploaded to VirusTotal from multiple Asian locations including Taiwan, the Philippines, and Singapore. Researchers have linked WolfsBane with high confidence to Gelsemium, a China-aligned advanced persistent threat (APT) group active since 2014.
This marks the first known instance of Gelsemium deploying Linux-based malware in their operations, which historically focused on targets across Eastern Asia and the Middle East. The WolfsBane attack chain includes a dropper, launcher, and backdoor components, along with a modified open-source rootkit designed to conceal malicious activities.
The second backdoor, FireWood, appears connected to a long-running malware family called Project Wood dating back to 2005. While researchers found FireWood alongside WolfsBane, they note its attribution to Gelsemium remains uncertain, suggesting it may be a shared tool among multiple China-based threat groups.
Both backdoors enable attackers to maintain persistent access to compromised systems while gathering intelligence like system details, user credentials, and specific files. The malware employs stealth techniques to avoid detection during extended surveillance operations.
The discoveries highlight a growing trend of APT groups shifting focus toward Linux-based malware. This strategic pivot likely stems from improved Windows security measures, including widespread endpoint detection tools and Microsoft's restrictions on macro execution. As a result, threat actors increasingly target internet-facing Linux systems through vulnerability exploitation.
The analyzed malware archives also contained additional offensive security tools, primarily webshells that allow remote system control after successful compromise.
This development underscores the expanding scope of sophisticated cyber espionage operations and the need for robust security measures across all operating system platforms.