Gelsemium, a stealthy cyberespionage group, has been linked to the NoxPlayer Android emulator supply-chain attack. The attack was carried out last year and targeted gamers. This group has been active since 2014 and targets East Asia and the Middle East.

What happened?

Recently, ESET researchers revealed that they had discovered early versions of the group's modular and complex malware while examining various campaigns since mid-2020.
  • The Gelsemium group uses three components developed in C++ and a plug-in system that allows the operators to collect information. It consists of a loader called Gelsenicine, a dropper called Gelsemine, and the main plug-in known as Gelsevirine.
  • According to Verint Systems and G DATA, attackers used spear-phishing emails laden with document attachments abusing an Office vulnerability (CVE-2012-0158) to spread the malware.
  • In addition, the attackers used watering holes set up on intranet servers in 2018, while in another incident an RCE exploit was used to target Microsoft Exchange servers for deploying web shells.
  • The group uses Dynamic DNS (DDNS) domain names for C2 servers to hinder infrastructure tracking since it does not use a list of newly created domains.

NoxPlayer supply-chain attack

The researchers believe that Gelsemium coordinated the supply-chain attack that compromised the NoxPlayer Android emulator for Windows and macOS between September 2020 and January.
  • This attack, named Operation NightScout, only affected the limited set of targets from Taiwan, Sri Lanka, and Hong Kong. This displayed the highly targeted nature of the operation.
  • Further, the investigation revealed some overlap between this supply-chain attack and the Gelsemium group. Victims originally targeted by that attack were later compromised by Gelsemine.


The use of sophisticated malware components indicates that Gelsemium has good experience with malware development. Moreover, the targeted attacking strategy indicates that the group is clear about its attack targets and could be a dangerous threat for the organizations on its radar.

Cyware Publisher