Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0666: Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[1]

EnterpriseS0666MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Gelsemium matters because ATT&CK describes it as a Windows modular malware family with separate dropper, loader, and plug-in components. That modularity can complicate incident scoping: responders may find only one stage while other components, registry artifacts, command-and-control paths, or collected local data remain undiscovered. For leaders, the decision value is whether Windows endpoint, registry, process, file, and network evidence is sufficient to reconstruct a multi-stage intrusion rather than only remove an obvious binary.

Executive priority

Prioritize validation of Windows endpoint visibility, incident response collection depth, and C2 monitoring. The linked ATT&CK behaviors include discovery, registry interaction, obfuscation, DLL injection, file deletion, timestomping, local data collection, tool transfer, and multiple command-and-control options including web, DNS, fallback channels, and non-application-layer protocols. This makes the business question less about one malware name and more about resilience: can the organization prove what ran, what data was accessed locally, what changed in the registry, and whether outbound communications persisted through alternate channels?

Technical view

SOC and IR teams should treat Gelsemium as a Windows malware object with no official ATT&CK detection text, then map coverage from its relationships. Validate collection and analytics for registry query/modify activity, command shell execution, native API/process behaviors, DLL injection indicators, access token manipulation, process/user/system/file discovery, local data access, file deletion, timestomp anomalies, invalid or misleading code-signing/resource-name traits, and deobfuscation/compression-related artifacts. Network validation should include HTTP/S-like traffic, DNS-based C2 patterns, fallback communications, ingress tool transfer, and non-application-layer protocol visibility. Because the object is modular, triage should not assume a single artifact represents the full intrusion chain.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry, especially cmd.exe and child process activity
  • Windows Registry query and modification events
  • File creation, deletion, rename, path, metadata, and timestamp evidence, including MFT or equivalent forensic artifacts where available
  • Module load, DLL injection, memory, and cross-process access telemetry
  • Code-signing validation results and file metadata/resource-name observations

Detection direction

  • Start with behavior-based coverage because ATT&CK provides no official detection guidance for this malware object.
  • Correlate registry activity, suspicious process execution, fileless storage possibilities, and native API/process-injection signals rather than relying only on static malware signatures.
  • Tune for sequences: discovery followed by local data access, staging/compression/deobfuscation, outbound C2, tool transfer, and cleanup such as file deletion or timestomping.
  • Review false positives for administrative scripts, software installers, endpoint management tools, and legitimate compressed archives before escalating alerts based only on one technique.
  • Validate egress monitoring for web, DNS, fallback, and non-application-layer channels; a single blocked protocol should not be treated as proof of containment.

Mitigation priorities

  • Ensure Windows endpoint logging and retention can support incident reconstruction across process, registry, file, module, and network activity.
  • Harden and monitor registry locations and execution paths commonly abused for persistence, defense evasion, or fileless storage, consistent with local baselines.
  • Apply least privilege and monitor privileged token or process-context changes that could support access token manipulation or injection behaviors.
  • Restrict and monitor unnecessary outbound protocols while maintaining visibility into allowed web and DNS traffic.
  • Use application control, code-signing validation, and file reputation controls where operationally feasible, while recognizing ATT&CK lists invalid signatures and masquerading-like resource naming as relevant behaviors.
Analyst notes and limits

ATT&CK identifies Gelsemium as modular malware composed of Gelsemine, Gelsenicine, and Gelsevirine plug-ins written using the Microsoft Foundation Class framework, and states it has been used by the Gelsemium group since at least 2014. The ATT&CK malware platform is Windows. Relationship context expands the defensive focus across collection, discovery, execution, command-and-control, persistence, privilege escalation, defense impairment, and stealth behaviors, even though the malware object itself does not list tactics.

Official detection text is not provided, and the supplied fields do not include indicators of compromise, specific registry keys, filenames, domains, hashes, prevalence, active exploitation status, victimology, or confirmed customer exposure. Defensive conclusions should therefore be validated against local Windows architecture, logging coverage, egress design, and incident evidence.

Official MITRE ATT&CK definition

Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

33 rows
Domain ID Name Relationship / procedure
Enterprise T1568 Dynamic Resolution

Gelsemium can use dynamic DNS domain names in C2.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Gelsemium can decompress and decrypt DLLs and shellcode.[1]
Enterprise T1548.002 Bypass User Account Control Sub-technique

Gelsemium can bypass UAC to elevate process privileges on a compromised host.[1]
Enterprise T1095 Non-Application Layer Protocol

Gelsemium has the ability to use TCP and UDP in C2 communications.[1]
Enterprise T1543.003 Windows Service Sub-technique

Gelsemium can drop itself in `C:\Windows\System32\spool\prtprocs\x64\winprint.dll` as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts.[1]
Enterprise T1070.004 File Deletion Sub-technique

Gelsemium can delete its dropper component from the targeted system.[1]
Enterprise T1620 Reflective Code Loading

Gelsemium can use custom shellcode to map embedded DLLs into memory.[1]
Enterprise T1547.012 Print Processors Sub-technique

Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.[1]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Gelsemium can set persistence with a Registry run key.[1]
Enterprise T1497 Virtualization/Sandbox Evasion

Gelsemium can use junk code to generate random activity to obscure malware behavior.[1]
Enterprise T1027.011 Fileless Storage Sub-technique

Gelsemium can store its components in the Registry.[1]
Enterprise T1112 Modify Registry

Gelsemium can modify the Registry to store its components.[1]
Enterprise T1057 Process Discovery

Gelsemium can enumerate running processes.[1]
Enterprise T1071.004 DNS Sub-technique

Gelsemium has the ability to use DNS in communication with C2.[1]
Enterprise T1083 File and Directory Discovery

Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.[1]
Enterprise T1082 System Information Discovery

Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.[1]
Enterprise T1518.001 Security Software Discovery Sub-technique

Gelsemium can check for the presence of specific security products.[1]
Enterprise T1105 Ingress Tool Transfer

Gelsemium can download additional plug-ins to a compromised host.[1]
Enterprise T1033 System Owner/User Discovery

Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.[1]
Enterprise T1008 Fallback Channels

Gelsemium can use multiple domains and protocols in C2.[1]
Enterprise T1005 Data from Local System

Gelsemium can collect data from a compromised host.[1]
Enterprise T1055.001 Dynamic-link Library Injection Sub-technique

Gelsemium has the ability to inject DLLs into specific processes.[1]
Enterprise T1134 Access Token Manipulation

Gelsemium can use token manipulation to bypass UAC on Windows7 systems.[1]
Enterprise T1070.006 Timestomp Sub-technique

Gelsemium has the ability to perform timestomping of files on targeted systems.[1]
Enterprise T1012 Query Registry

Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.[1]
Enterprise T1106 Native API

Gelsemium has the ability to use various Windows API functions to perform tasks.[1]
Enterprise T1071.001 Web Protocols Sub-technique

Gelsemium can use HTTP/S in C2 communications.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

Gelsemium can use a batch script to delete itself.[1]
Enterprise T1036.001 Invalid Code Signature Sub-technique

Gelsemium has used unverified signatures on malicious DLLs.[1]
Enterprise T1027.016 Junk Code Insertion Sub-technique

Gelsemium can use junk code to hide functions and evade detection.[1]
Enterprise T1027.015 Compression Sub-technique

Gelsemium has the ability to compress its components.[1]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Gelsemium has named malicious binaries `serv.exe`, `winprint.dll`, and `chrome_elf.dll` and has set its persistence in the Registry with the key value Chrome Update to appear legitimate.[1]
Enterprise T1559.001 Component Object Model Sub-technique

Gelsemium can use the `IARPUinstallerStringLauncher` COM interface are part of its UAC bypass process.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1568: Dynamic Resolution Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1548.002: Bypass User Account Control Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1620: Reflective Code Loading Enterprise uses · Technique T1547.012: Print Processors Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1497: Virtualization/Sandbox Evasion Enterprise uses · Technique T1027.011: Fileless Storage Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1071.004: DNS Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1008: Fallback Channels Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1055.001: Dynamic-link Library Injection Enterprise uses · Technique T1134: Access Token Manipulation Enterprise uses · Technique T1070.006: Timestomp Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
1bcc5a4a4b2ed338...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 1bcc5a4a4b2e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ESET Gelsemium June 2021

    Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

    Open source URL
  2. [2]
    Gelsemine

    (Citation: ESET Gelsemium June 2021)

  3. [3]
    Gelsenicine

    (Citation: ESET Gelsemium June 2021)

  4. [4]
    Gelsevirine

    (Citation: ESET Gelsemium June 2021)

  5. [5]
    mitre-attack S0666
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use