A China-linked state-sponsored threat actor has been targeting Linux systems with previously unknown malware strains in a new espionage campaign, researchers have found.

The group — tracked as Gelsemium — has been active since at least 2014, primarily targeting victims in East Asia and the Middle East. In its latest campaign, which was likely focused on Taiwan, the Philippines, and Singapore, the hackers deployed Linux backdoors named WolfsBane and FireWood.

According to researchers at the Slovak-based cybersecurity firm ESET, this is likely the first time Gelsemium has targeted Linux systems. The first samples of the malware were uploaded to the VirusTotal repository in 2023.

To gain initial access to victims' devices, the hackers likely exploited an unknown web application vulnerability, researchers said. They did not provide much detail about the impact of the attacks or the identities of the victims.

WolfsBane is a Linux equivalent of Gelsemium’s backdoor for Windows, named Gelsevirine. FireWood, on the other hand, is similar to the backdoor named Project Wood, which was previously used against Windows systems. While WolfsBane is the group’s custom tool, FireWood may be shared among multiple China-aligned state hackers, researchers suggested.

The goal of the backdoors, along with other tools used in this campaign, is cyberespionage. They are designed to target sensitive data such as system information, user credentials, and specific files and directories, while evading detection.

The group’s targeting of Linux systems has raised particular interest among researchers who noted that Linux malware is becoming more popular among state hackers due to improvements in Windows security. Threat actors are also exploring new attack avenues, increasingly focusing on exploiting vulnerabilities in internet-facing systems, most of which run on Linux.

“This means that these Linux systems are becoming the new preferred targets for these adversaries,” ESET said.