1. Home
  2. Groups
  3. Gelsemium

Gelsemium

Gelsemium is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in Eastern Asia and the Middle East.[1]

ID: G0141
Version: 1.0
Created: 30 November 2021
Last Modified: 02 December 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .004 Acquire Infrastructure: Server

Gelsemium has established infrastructure through renting servers at multiple providers worldwide.[1]
Enterprise T1568 Dynamic Resolution

Gelsemium has used dynamic DNS in its C2 infrastructure.[1]
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Gelsemium has compromised software supply chains to gain access to victims.[1]

Software

ID Name References Techniques
S0666 Gelsemium [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Library, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Print Processors, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Modify Registry, Non-Application Layer Protocol, Obfuscated Files or Information, Obfuscated Files or Information: Binary Padding, Process Discovery, Process Injection: Dynamic-link Library Injection, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket

References

  1. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.