Nihon Cyber Defence

NCD Cyber Threat Intelligence: Gelsemium APT Group ​

A China-linked, cyber threat to Japanese companies​

Gelsemium, a Chinese-linked Advanced Persistent Threat (APT) group active since 2014, poses a significant cyber threat to organizations in East Asia, including Japan. This group conducts sophisticated cyberespionage campaigns, leveraging custom malware to infiltrate and exfiltrate sensitive data. Japanese companies, given their technological and industrial prominence, are prime targets.

The Gelsemium Playbook

Gelsemium is espionage-focused and leverages custom malware such as WolfsBane, a Linux-based tool, and FireWood, which is linked to the older Project Wood backdoor. These tools are designed to steal sensitive information, exploit web vulnerabilities, and evade detection using advanced techniques like rootkits. Their emphasis on Linux systems demonstrates their adaptability and ability to exploit emerging vulnerabilities. Gelsemium’s activities pose significant risks, including intellectual property theft, operational disruptions, and reputational damage. Their multi-stage attacks typically begin by targeting publicly accessible servers, then spread laterally within networks to compromise critical systems.

Gelsemium is potentially connected to the Blackwood APT group, based on the correlation between the FireWood Backdoor and Project Wood. Blackwood, active since at least 2018, has conducted cyberespionage operations targeting individuals and organizations in China, Japan, and the United Kingdom. Known for using AiTM (Adversary-in-the-Middle) attacks, Blackwood intercepts network communications to steal credentials, forge encryption keys, and facilitate further attacks. These techniques have been used to deploy the NSPX30 implant by exploiting update mechanisms of software such as Tencent QQ, WPS Office, and Sogou Pinyin. Given Blackwood’s history of targeting Japan, the Gelsemium APT group may continue to pose a significant threat to the region.

Threat Actor Attribution Chart​

Threat Actor Attribution Chart​

Here are some proactive steps to defend against Gelsemium:​

  • Secure Linux Systems: Regularly patch vulnerabilities, strengthen authentication, and deploy Linux-specific intrusion detection systems.
  • Enhance Web Security: Identify and fix vulnerabilities, enforce secure coding practices, and use Web Application Firewalls (WAF).
  • Implement Advanced Endpoint Security: Deploy Endpoint Detection and Response (EDR) tools and monitor server environments.
  • Educate Employees: Train staff to recognize phishing and social engineering tactics.

The Gelsemium threat underscores the need for robust cyber security measures. These risks are manageable with the right defences. By investing in proactive strategies, organizations can safeguard their assets and maintain their competitive edge in an increasingly hostile digital landscape.

Nihon Cyber Defence provides localized, industry-specific solutions to protect against threats like Gelsemium. Partner with NCD for expert guidance to fortify defences against even the most advanced cyber threats.

Kenichi-Terashita
Kenichi Terashita

Chief Threat Intelligence Officer @ Nihon Cyber Defence

With over 20 years of security expertise as an engineer and consultant, Terashita leads a specialized team analysing global cyber threats.

Edit Template

Cyber Maturity Assessment

Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.

Cyber Security Framework (NIST)

National Institute of Standards and Technology

NIST Framework Graphic

Cyber Assessment Framework (CAF)

National Cyber Security Centre

CAF Framework Graphic
Edit Template

More from NCD​

Susumu Toriumi Appointed COO of Nihon Cyber Defence

NCD appoints Susumu Toriumi as Chief Operating Officer to lead growth and scale Japan-built cyber defence solutions across critical infrastructure...

Why Software Is Reshaping Global Warfare

Software is redefining national defence. Explore how Japan, the US, and allies are adapting to software-defined warfare and cyber security leadership...

UNC3944: What Business Leaders Need to Know

UNC3944 is not traditional ransomware. Learn how critical sectors can prepare for persistent access, real-time disruption, and identity-based attacks...

Robert Stevenson Appointed CRO of Nihon Cyber Defence

Robert Stevenson joins Nihon Cyber Defence as Chief Revenue Officer, bringing decades of experience in cyber security, OT, and enterprise tech in Japan...

What Cyber Leaders Need to Know About RansomHub’s Collapse and the Ransomware Cartel Model

Learn how RansomHub’s collapse signals a shift to ransomware cartel models. NCD CTO Toshio Nawa explains what Japanese cyber leaders must know to defend critical sectors...

John Moore Appointed CFO of Nihon Cyber Defence

Nihon Cyber Defence names John Moore as CFO to guide financial strategy and scalable growth. Moore brings over 20 years of leadership experience across Japan, APAC, and global markets, strengthening...

China’s APT Threats to Japan’s Critical Infrastructure

China-linked APT groups—Salt, Volt, and Silk Typhoon—are reshaping cyber warfare. Learn how these threats target Japan’s critical infrastructure and how to respond effectively...

Empowering the Next Generation of Cyber Security Talent

NCD joined the Empower Girls event in Belfast, inspiring 600 young girls to explore careers in cyber security through hands-on learning and role models...

Nihon Cyber Defence and Netcraft Strategic Partnership

NCD and Netcraft are teaming up to deliver real-time phishing detection and takedown in Japan. Learn how this partnership boosts national cyber resilience...
Edit Template