Skip to content

S0666 Gelsemium

Gelsemium is a modular malware comprised of dropper (Gelsemine), loader (Gelsenicine), and main (Gelsevirine) plug ins that has been used by the Gelsemium group since at least 2014.1

Item Value
ID S0666
Associated Names Gelsevirine, Gelsenicine, Gelsemine
Version 1.0
Created 30 November 2021
Last Modified 01 December 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Gelsevirine 1
Gelsenicine 1
Gelsemine 1

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Gelsemium can bypass UAC to elevate process privileges on a compromised host.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Gelsemium can use HTTP/S in C2 communications.1
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library Gelsemium can compress embedded executables with the zlib library.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Gelsemium can set persistence with a Registry run key.1
enterprise T1547.012 Print Processors Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.1
enterprise T1140 Deobfuscate/Decode Files or Information Gelsemium can decompress and decrypt DLLs and shellcode.1
enterprise T1083 File and Directory Discovery Gelsemium can retrieve specific Windows directories.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Gelsemium can delete its dropper component from the targeted system.1
enterprise T1070.006 Timestomp Gelsemium has the ability to perform timestomping on targeted systems.1
enterprise T1105 Ingress Tool Transfer Gelsemium can download additional plug-ins to a compromised host.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Gelsemium can set its persistence in the Registry with the key value Chrome Update to appear legitimate.1
enterprise T1112 Modify Registry Gelsemium has the ability to store its components in the Registry.1
enterprise T1095 Non-Application Layer Protocol Gelsemium has the ability to use TCP and UDP in C2 communications.1
enterprise T1027 Obfuscated Files or Information Gelsemium has the ability to compress its components.1
enterprise T1027.001 Binary Padding Gelsemium can use junk code to hide functions and evade detection.1
enterprise T1057 Process Discovery Gelsemium can enumerate running processes.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Gelsemium has the ability to inject DLLs into specific processes.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Gelsemium can check for the presence of specific security products.1
enterprise T1082 System Information Discovery Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.1
enterprise T1033 System Owner/User Discovery Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.1

Groups That Use This Software

ID Name References
G0141 Gelsemium 1


Back to top