18 May 2024

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

The cybersecurity landscape continues to evolve rapidly, with threat actors employing increasingly sophisticated methods to compromise systems and steal sensitive information. Among the most concerning developments is the activity of the North Korean advanced persistent threat (APT) group Kimsuky, also known as Springtail. This group has recently been observed deploying a Linux backdoor named Gomir as part of a targeted campaign against South Korean organizations. This blog provides an in-depth analysis of this new threat, its capabilities, distribution methods, and broader implications for cybersecurity.

The Emergence of Gomir Backdoor

Similarities to GoBear

The Gomir backdoor represents a significant development in Kimsuky's cyber arsenal. According to the Symantec Threat Hunter Team, Gomir is essentially a Linux variant of the previously identified GoBear backdoor. Structurally, the two malware variants are almost identical, sharing a substantial amount of code. This indicates that Gomir is not merely a new tool but an adaptation of existing capabilities to a different operating system environment.

Capabilities of Gomir

Gomir is a potent instrument in the hands of Kimsuky operators, designed to provide extensive control over compromised systems. It supports up to 17 distinct commands, which include:

  • File Operations: Allows operators to read, write, and manipulate files on the infected system.
  • Reverse Proxy: Enables the creation of a reverse proxy, which can be used to tunnel traffic and potentially bypass network defenses.
  • Command-and-Control (C2) Communications: Supports the ability to pause C2 communications for a specified duration, helping the malware to avoid detection and analysis.
  • Shell Commands: Allows execution of arbitrary shell commands, providing broad flexibility for further actions on the infected machine.
  • Process Termination: Includes functionality to terminate its own process, aiding in stealth and self-defense against detection mechanisms.

These capabilities highlight Gomir's flexibility and the threat it poses to compromised systems, allowing Kimsuky to conduct a wide range of espionage activities effectively.

Details of the Campaign

Initial Observations

The campaign involving Gomir was first documented in early February 2024. During this period, GoBear was linked to another malware strain known as Troll Stealer, or TrollAgent. Troll Stealer has notable overlaps with other Kimsuky malware families, including AppleSeed and AlphaSeed. These overlaps suggest a common development and deployment strategy aimed at enhancing the group's cyber espionage capabilities.

Distribution Methods

One of the most concerning aspects of this campaign is the sophisticated distribution methods employed by Kimsuky. The malware is disseminated through trojanized security programs that users download from a South Korean construction-related association's website. The compromised programs include:

  • nProtect Online Security: A widely used security tool.
  • NX_PRNMAN: A network printer management utility.
  • TrustPKI: A tool for managing public key infrastructure (PKI) certificates.
  • UbiReport: A reporting tool used in various industries.
  • WIZVERA VeraPort: A software used for secure internet banking and online transactions.

The targeting of these specific programs is strategic, aiming to maximize the chances of infecting the intended South Korean targets, which rely on these tools for secure operations.

Rogue Installers

In addition to the trojanized programs, Symantec reported the use of rogue installers for WIZVERA VeraPort to deliver Troll Stealer malware. However, the exact mechanism by which these malicious installation packages are distributed remains unclear. This ambiguity adds another layer of complexity and challenge for cybersecurity professionals attempting to defend against these attacks.

Historical Context and Espionage Focus

Common Origin with BetaSeed

Further analysis reveals that GoBear contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++. This similarity suggests that both GoBear and BetaSeed likely originate from the same source, indicating a continuous evolution and refinement of Kimsuky's malware toolkit. The development of Gomir as a Linux variant of GoBear is a testament to the group's adaptive strategies and persistent efforts to expand their operational capabilities across different operating systems.

Targeting South Korea

Kimsuky's operations are closely aligned with the strategic interests of North Korea, focusing heavily on espionage activities aimed at South Korean entities. The group's choice of infection vectors—specifically, software installation packages and updates—reflects a calculated approach designed to maximize infection rates among their intended targets. By targeting commonly used security programs and applications, Kimsuky enhances their chances of successful infiltration, especially within organizations that prioritize cybersecurity but may still fall victim to trusted, yet compromised, software.

Implications for Cybersecurity

The deployment of the Gomir backdoor by Kimsuky highlights several critical implications for the broader cybersecurity landscape:

The Evolution of APT Tactics

The emergence of Gomir underscores the evolving tactics employed by APT groups like Kimsuky. The ability to adapt malware to different operating systems and incorporate advanced features demonstrates a high level of technical sophistication and resource investment. This evolution requires defenders to stay vigilant and continuously update their defense mechanisms to counteract these advanced threats.

Importance of Supply Chain Security

The use of trojanized security programs and rogue installers as infection vectors highlights the importance of supply chain security. Organizations must ensure that their software suppliers adhere to stringent security practices to prevent the introduction of malware into their environments. Regular audits, code reviews, and verification of software integrity are essential steps in securing the supply chain.

Enhanced Detection and Response

Given the advanced capabilities of malware like Gomir, enhanced detection and response mechanisms are crucial. Organizations should implement robust endpoint detection and response (EDR) solutions capable of identifying and mitigating suspicious activities. Additionally, continuous monitoring and threat hunting efforts can help detect anomalies and potential intrusions before they cause significant damage.

Cyber Threat Intelligence Sharing

Sharing cyber threat intelligence (CTI) within and across industries can significantly improve collective defense against sophisticated APT groups. By disseminating information about new threats, attack vectors, and indicators of compromise (IOCs), organizations can enhance their situational awareness and improve their ability to defend against similar attacks.

Training and Awareness

Educating employees about the latest cyber threats and best practices for security is essential. Awareness programs that focus on recognizing phishing attempts, avoiding suspicious downloads, and understanding the importance of software updates can help mitigate the risk of malware infections. Regular training sessions and simulated attack exercises can reinforce these concepts and improve overall organizational resilience.


The deployment of the Gomir backdoor by the Kimsuky APT group underscores the persistent and evolving threat posed by state-sponsored actors targeting specific regions and industries. This campaign, aimed at South Korean organizations, reveals Kimsuky’s strategic use of advanced malware to conduct cyber espionage. The adaptation of the GoBear backdoor into its Linux variant, Gomir, demonstrates the group's technical sophistication and their ability to expand their operations across different platforms.

At digiALERT, we recognize the critical importance of understanding and addressing such threats. The use of trojanized security programs and rogue installers as vectors for malware dissemination highlights the necessity for comprehensive supply chain security. Organizations must implement robust endpoint detection and response solutions, enhance their threat intelligence sharing, and continuously educate their employees on cybersecurity best practices.

The key takeaways from this campaign include the importance of vigilance, the need for regular software integrity checks, and the value of a proactive cybersecurity strategy. By staying informed about the latest threats and collaborating within the cybersecurity community, we can enhance our collective defense capabilities.

As threat actors like Kimsuky continue to refine their techniques, we at digiALERT are committed to evolving our defenses to safeguard our clients against these sophisticated threats. Through continuous monitoring, advanced threat detection, and a commitment to cybersecurity excellence, we aim to provide robust protection and ensure the security of our clients' critical assets.

Read 88 times


digiALERT is a rapidly growing new-age premium cyber security services firm. We are also the trusted cyber security partner for more than 500+ enterprises across the globe. We are headquartered in India, with offices in Santa Clara, Sacremento , Colombo , Kathmandu, etc. We firmly believe as a company, you focus on your core area, while we focus on our core area which is to take care of your cyber security needs.