Naming their assets after a poisonous plant and its derivative toxins, the group is a potent threat lurking in Asia.

Remember the cyberattack against gamers in Asia? The Nox Player emulator for PCs and Macs had been attacked by three malware families, via the software update mechanism.

Now, the researchers that discovered the attack suspect that the Gelsemium group was behind the campaign. Since mid-2020, the cyberespionage group has conducted attacks in East Asia and the Middle East, including governments, religious organizations, electronics manufacturers and universities.

Named after a flowering plant, the group names its weapons after plant-based poisons: Gelsevirine—a backdoor that is both modular and complex—is its main weapon dating back to 2014, but a new version is now in circulation.

According to researchers at ESET, the group has managed to remain mostly under the radar and is very targeted at only a few victims, likely to be for cyber-espionage agenda, according to the firm’s telemetry.

Said Thomas Dupuy, one of the researchers: “The group has a vast number of adaptable components. Gelsemium’s whole chain might appear simple at first sight, but the exhaustive number of configurations, implanted at each stage, can modify on-the-fly settings for the final payload, making it harder to understand.” Dupuy was referring to three components and a plug-in system used by Gelsemium: the dropper Gelsemine, the loader Gelsenicine, and the main plugin Gelsevirine.

Researchers suspect the group is behind the supply-chain attack against BigNox that was previously reported as Operation NightScout. This was a supply-chain attack that compromised the update mechanism of NoxPlayer, part of BigNox product range, with over 150 million users worldwide.

The investigation uncovered some overlap between this supply-chain attack and the Gelsemium group. Victims originally compromised by that supply-chain attack were later being compromised by Gelsemine. Among the different variants examined, “variant 2” shows similarities with Gelsemium malware.