Security News > 2021 > June > Mysterious Gelsemium APT was behind February compromise of NoxPlayer, says ESET

ESET has published details of an advanced persistent threat crew that appears to have deployed recent supply chain attack methods against targets including "Electronics manufacturers," although it didn't specify which.

"Victims of its campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities," said ESET in a research report published today that names the APT crew as Gelsemium.

Gelsemium is said to have been behind a supply chain attack targeted at a freeware Android emulator called NoxPlayer, made by BigNox, which boasts of having about 150 million users in total worldwide.

In an incident highlighted by ESET in February before attribution to the APT, BigNox's update API mechanism may have been compromised to deliver malware to selected users under the guise of a legitimate new version.

Back in 2018 Chinese infosec firm Venustech published a paper about what ESET now calls Gelsemium, with one concluding sentence in particular sticking out: "The malware delivered from this organization contains a large number of detection and circumvention methods for Chinese anti-virus software."

ESET itself highlighted in its own analysis that Gelsemium's malware payload included checks for, among other common consumer endpoint antivirus suites, Qihoo360 and Kaspersky.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/09/eset_gelsemium_research/