A stealthy advanced persistent threat (APT) actor known as Gelsemium has been observed targeting a government entity in Southeast Asia to establish persistence and collect intelligence, cybersecurity firm Palo Alto Networks reveals.
As part of the observed activity, spanning over a period of six months in late 2022 and into 2023, the threat actor deployed a variety of web shells to support lateral movement and malware delivery, along with backdoors, a Cobalt Strike beacon, and various other tools.
The cybersecurity firm
identified three web shells used in these attacks, namely reGeorg, China Chopper, and AspxSpy (publicly available). In some instances, the threat actor deployed a shell-like tool to run additional commands, and several privilege escalation tools.
