{
	"id": "03e75013-f435-4b17-8df8-ee65d70a6707",
	"created_at": "2026-04-06T00:12:20.551286Z",
	"updated_at": "2026-04-10T13:12:00.19697Z",
	"deleted_at": null,
	"sha1_hash": "a60e3337bd43c8a524a041206a0789b1a8ae6193",
	"title": "Malicious campaign targets South Korean users with backdoor-laced torrents",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 181337,
	"plain_text": "Malicious campaign targets South Korean users with backdoor-laced torrents\r\nBy Zuzana Hromcová\r\nArchived: 2026-04-05 18:47:49 UTC\r\nFans of Korean TV should be on the lookout for an ongoing campaign spreading malware via torrent sites, using\r\nSouth Korean movies and TV shows as a guise. The malware allows the attacker to connect the compromised\r\ncomputer to a botnet and control it remotely.\r\nThe malware is a modified version of a publicly available backdoor named GoBot2. The modifications to the\r\nsource code are mainly South Korea-specific evasion techniques, which are described in detail in this blogpost.\r\nDue to the campaign’s clear focus on South Korea, we have dubbed this Win64/GoBot2 variant GoBotKR.\r\nAccording to ESET telemetry, GoBotKR has been active since March 2018. The detections are in the hundreds,\r\nwith South Korea being the most affected (80%), followed by China (10%) and Taiwan (5%).\r\nDistribution\r\nGoBotKR has been spreading via South Korean and Chinese torrent sites, masquerading as Korean movies and\r\nTV shows, as well as some games.\r\nThe attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of\r\nthe torrents with malicious files that have deceptive filenames, extensions and icons. Our analysis shows that the\r\ntorrents using a movie/TV show disguise generally contain the following types of files:\r\n1. The expected MP4 file\r\n2. A malicious executable masked as a PMA archive file with a filename mimicking various codec installers\r\n3. A malicious LNK file with a filename and icon mimicking the expected video file\r\nFigure 1 shows examples of torrent contents from this malicious campaign.\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 1 of 14\n\nFigure 1. Contents of some torrents delivering the malware (the MP4 video is not displayed on the second\r\nscreenshot); the malware is executed by an LNK file with a deceptive filename and icon\r\nSo how exactly do users get compromised?\r\nDirectly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file\r\nis often hidden in a different directory, and users might encounter the malicious LNK file mimicking it first.\r\nFurther increasing the chance of users falling for the lure is the fact that the extension of the LNK file is normally\r\nnot displayed when viewed in Windows Explorer, as seen in the second screenshot in Figure 1, in the file with the\r\nKorean name.\r\nClicking on the deceptive LNK file executes the malware. However, it also opens the intended file (in this case a\r\nvideo), giving victims little reason to suspect something has gone wrong.\r\nRenaming the malicious EXE file to a PMA file is also likely done to prevent raising suspicion of potential\r\nvictims. We have also seen this technique using games as a lure, and with filenames and extensions relevant to\r\ngaming.\r\nDuring our investigation, we have seen the following filenames being used for the malicious executables:\r\nstarcodec.pma, WedCodec.pma and Codec.pma (movie/TV show disguise) and leak.dll (game disguise). The name\r\n“starcodec” mimics the legitimate Korean codec pack Starcodec.\r\nCapabilities\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 2 of 14\n\nGoBotKR was built on the basis of a backdoor named GoBot2, the source code of which has been publicly\r\navailable since March 2017. Both the original and the modified version are written in GoLang, also known as Go.\r\nWhile still relatively rare for malware, new variants of GoLang malware are emerging, likely due to the\r\nchallenges posed to analysts with the bulky nature of its compiled executables.\r\nThe functionality of GoBotKR largely overlaps with the published GoBot2 source code, with only minimal\r\nmodifications. Overall, the malware is not particularly complex technically, and the implementation is rather\r\nstraightforward. Most features are implemented with the use of GoLang libraries, and by executing Windows\r\ncommands (such as cmd, ipconfig, netsh, shutdown, start, systeminfo, taskkill, ver, whoami, and wmic), and third-party utilities such as BitTorrent and uTorrent clients.\r\nCollected information\r\nUltimately, the actors behind GoBotKR are building a network of bots that can then be used to perform DDoS\r\nattacks of various kinds (e.g. SYN Flood, UDP Flood, or Slowloris). Therefore, after being executed, GoBotKR\r\nfirst collects system information about the compromised computer, including network configuration, OS version\r\ninformation, CPU and GPU versions. In particular, it collects a list of installed antivirus software.\r\nThis information is sent to a C\u0026C server, which helps the attackers determine which bots should be used in the\r\nrespective attacks. All C\u0026C servers that we extracted from the analyzed malware samples are hosted in South\r\nKorea and registered by the same person.\r\nBot commands\r\nOnce communication with the C\u0026C server is established, the server instructs the compromised computer with\r\nbackdoor commands. GoBotKR supports fairly standard botnet functions, which mostly serve three main\r\npurposes:\r\nallowing misuse of the compromised computer\r\nallowing the botnet operators to control, or further extend, the botnet\r\nevading detection or hiding from the user\r\nThese are the supported commands:\r\ncarry out a DDoS attack on a specified victim\r\naccess a URL\r\nexecute a file, a command, a script\r\nupdate, terminate or uninstall itself\r\nshutdown/reboot/log off the computer\r\nchange homepage in IE\r\nchange desktop background\r\nseed torrents\r\ncopy itself to connected removable media, and setup AutoRun function\r\ncopy itself to public folders of cloud storage services (Dropbox, OneDrive, Google Drive)\r\nrun a reverse proxy server\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 3 of 14\n\nrun an HTTP server\r\nchange firewall settings, edit hosts file, open a port\r\nenable/disable Task Manager\r\nenable/disable Windows registry editors\r\nenable/disable Command Prompt\r\nkill a process\r\nhide a process window\r\nOf particular interest are two commands – seeding torrents and DDoS capability.\r\nThe “seed torrents” command allows the attackers to misuse the victimized machines for seeding arbitrary files\r\nusing the BitTorrent and uTorrent programs, even if these are not already installed on the system. This may be\r\nused as a mechanism to distribute the malware further.\r\nThe “carry out a DDoS attack” command lets attackers abuse the victim’s network bandwidth to block the\r\navailability of targeted services, such as websites. According to our analysis, this is most likely the main purpose\r\nof the GoBotKR botnet.\r\nEvasion techniques\r\nIn this section, we explore the evasion techniques used by the GoBotKR backdoor. While many techniques were\r\nalready present in the publicly available source code, the authors of GoBotKR further expanded them with South\r\nKorea-specific features. This shows us that the attackers customized the malware for a specific audience, while\r\ntaking extra effort to remain undetected in their campaign.\r\nTechniques taken from GoBot2\r\nThe following detection evasion and anti-analysis techniques used by GoBotKR have been adopted from GoBot2\r\nsource code:\r\nThe malware installs two instances of itself on the system. The second instance (watchdog) monitors\r\nwhether the first instance is still active and reinstalls it if it has been removed from the system.\r\nThe malware employs antivirus bypass techniques (it allocates large chunks of memory and delays\r\nexecution of the malicious payload to prevent antivirus engines from emulating the code due to resource\r\nconstraints).\r\nThe malware can detect selected security and analytical tools, such as debuggers. If detected, it terminates\r\nitself.\r\nThe malware terminates itself if IP information of the victim suggests one of several blacklisted\r\norganizations (e.g. Amazon, BitDefender, Cisco, ESET). It uses external legitimate websites for querying\r\nIP information and searches for hardcoded strings in this information (e.g. \"cloud\", \"Cisco\", \"Microsoft\"),\r\nrather than using API functions.\r\nThe malware terminates itself if its file name consists of 32 hexadecimal characters, which prevents the\r\npayload from being executed in some automated sandboxes.\r\nSouth Korea-specific modifications in GoBotKR\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 4 of 14\n\nThe authors of GoBotKR added three new evasion techniques, related to their focus on South Korea:\r\nAs explained in the previous section, the malware uses IP information of the compromised computer to\r\ndetect whether it is running in one of the blacklisted organizations. In GoBot2, the IP address of the victim\r\nis determined by accessing Amazon Web Services or dnsDynamic and parsing the reply.\r\nIn the samples of GoBotKR we analyzed, these URLs are replaced with South Korean online platforms\r\nNaver and Daum.\r\nGoBotKR features a new evasion technique that scans running processes on the compromised system to\r\ndetect selected antivirus products (listed in Table 1). If any of the products are detected, the malware\r\nterminates itself and removes some traces of its activity from the host. The list of detected processes\r\nincludes products by AhnLab, a South Korean security company.\r\nProcess name substring Associated company/product\r\nV3Lite AhnLab, V3 Internet Security\r\nV3Clinic AhnLab, V3 Internet Security\r\nRwVnSvc AhnLab Anti-Ransomware Tool\r\nKsde Kaspersky\r\nkavsvc Kaspersky\r\navp Kaspersky\r\nAvast Avast\r\nMcUICnt McAfee\r\n360 360 Total Security\r\nkxe Kingsoft Antivirus\r\nkwsprotect Kingsoft Internet Security\r\nBitDefender BitDefender\r\nAvira Avira\r\nByteFence ByteFence\r\nTable 1. List of security products detected by GoBotKR\r\nThe malware tries to detect analytical tools running on the system. It terminates itself if any of them are\r\ndetected. The list is internally named “ahnNames”, which might be another reference to AhnLab.\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 5 of 14\n\nFigure 2. The malware’s blacklist of running processes is internally named “ahnNames”\r\nIn addition to the AhnLab references, the defensive techniques described in the second and third points were\r\nadded into the source code as a file named AhnLab.go, according to the metadata we obtained from the malware.\r\nTimeline\r\nBecause the malware is spreading via torrents, a lot of the samples are broken or incomplete. We were, however,\r\nable to recover C\u0026C servers and internal version information.\r\nSince the malware was first seen, we have detected samples with internal versions 2.0, 2.3, 2.4, and 2.5. Each of\r\nthese versions comes with some minor technical improvements or differences in implementation. The versioning\r\ndiffers from that used in the GoBot2 source code, where an internal name “ArchDuke” is used.\r\nTable 2 lists the different versions of GoBotKR detected by ESET systems from May 2018 to the time of writing.\r\nThe timeline features the malware’s internal versioning and detection dates, as PE timestamps have been cleared\r\nfrom the samples.\r\nFirst seen Internal version Functionality linked to South Korea C\u0026C server\r\nMay 2018 2.0 No https://jtbcsupport[.]site:7777/\r\nJul 2018 2.0 Yes https://jtbcsupport[.]site:7777/\r\nAug 2018 2.0 Yes https://higamebit[.]com:6446/\r\nSep 2018 2.3 Yes https://kingdomain[.]site:6556/\r\nSep 2018 2.3 Yes https://bitgamego[.]com:6446/\r\nSep 2018 2.3 Yes https://higamebit[.]com:6446/\r\nSep 2018 2.3 Yes https://helloking[.]site:6446/\r\nJan 2019 2.4 Yes https://kingdomain[.]site:6556/\r\nJan 2019 2.5 Yes https://kingdomain[.]site:6556/\r\nTable 2. GoBotKR version timeline\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 6 of 14\n\nAs seen in the table, the first malware samples detected in May 2018 were not yet customized for South Korean\r\ntargets and were thus almost identical to the GoBot2 source code. However, we were able to link them to newer\r\nsamples because they used the same C\u0026C server.\r\nHow to stay safe\r\nIf you suspect you might have fallen victim to this malware campaign, we recommend you scan your computer\r\nwith a reliable security solution. ESET products detect and block this malware under the detection name\r\nWin64/GoBot2. You can use ESET’s Free Online Scanner to check your computer for the presence of this threat\r\nand remove anything that is detected. Existing ESET customers are protected automatically.\r\nPirated content distributed via torrent sites is a well-known vector for spreading all kinds of malware. To steer\r\nclear of similar attacks in the future, stick to official sources when downloading content. Before launching\r\ndownloaded files, pay attention to whether their extensions match the intended filetypes. To keep your computer\r\nprotected, we advise you to patch regularly and use reputable security software.\r\nIndicators of Compromise (IoCs)\r\nESET detection name\r\nWin64/GoBot2\r\nC\u0026C servers\r\njtbcsupport[.]site\r\nkingdomain[.]site\r\nhigamebit[.]com\r\nbitgamego[.]com\r\nhelloking[.]site\r\nSHA-1\r\nNote that some malware samples may be corrupted due to the nature of its distribution mechanism (torrents).\r\nVersion 2.0\r\n038C69021F4091F0B1BE3F059FCDC1C4FA8885D2\r\n092A4F085A01E0D61418114726B9F9EF9F4683C3\r\n11953296BBC2B26303DED2F92FB8677BD8320326\r\n11BF60CC2B8AC0321635834820460824D76965DE\r\n275EE3BD90996EF54DB5931CBDF35B059D379E0E\r\n424215E74EA64FC3A55FE9C94B74AFC4EA593699\r\n4899912880FF7B881145B72A415C7662625E062E\r\n6560BD68CD0CA0402AB28D8ABE52909EB2BA1E10\r\n6A58E32DFF59BAEE432E5D351EAD7C7CB939CCB7\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 7 of 14\n\n6BE3A40D89DDCDCFA37926A29CE5BCC5FF182D12\r\n77EAE50B8C424338C2987D6DFF52CE0F0BBBD98F\r\nA04EB443942DD3906A883119429BF09A3601B3E0\r\nA61D72BA8AE6A216F1D5013A05CEA8D4F96E81E1\r\nB60DA1F89313751FAA21DD394D6D862CC8C2DBE4\r\nB7CEAE53118890011B695E358633CCD35E8CD577\r\nBDBA27E525D6DC698C1CF90B07F4FB85956E9C28\r\nC31955C4D3C38591BBC8A2089F23B5558146267B\r\nD688A58001E41A8CA22EABCA309DA9FCD2910CB3\r\nDD18D7B0ADE5E65EFDE920C9261E8890B4105B75\r\nE0046D91BED1B3A09243C43760599DC9D8F99953\r\nE00F1BB85A277A8C1ED081642EF76413B2FF7EA9\r\nEA968D757281E6BB5D9334E7F2C9ECDA69EA15A9\r\nF9C40789C780174F6BB377AE46F49B94E402AE77\r\nFFF263FA9E16F7945BCE21D0F6C11C75DAA241D8\r\nVersion 2.3\r\n018927A35B2CEC08D5493CB75BAA62D6956D0109\r\n063C462E98453AD6E4091A5AB35613CAF19DF415\r\n082A026BD14F69AF46641ABF20520B3D2D0D6E6A\r\n084A7E6B7DD955554FCED021DF58458C7E66EBB2\r\n097248EB38277DA879F5D606179C746DB6BB2C54\r\n0DBA9DDBBB12FA4FE22CD4EE16EF8DCC73B7D295\r\n0E9D0C1A82DFB53DF9BB8B75D3A90B2236704498\r\n0F4BB3FC6771D306565E1002B3327A9F2AED92AF\r\n14129424593DC8B1865F491A9CA92BE753B2A7F0\r\n16703AE741257EAF2EC76E097D17F379E3FCB29D\r\n1BE6DB3F30B41A8777819C9D04056923C74E052E\r\n1C4FDDDBB8402D3A1E70E5DCD4C0187C6F55ABA3\r\n1F966B8540CF9716640DF39FA0B97FBA62200C1F\r\n1FCE2D1735C226DC688EC191B18EF773D0B51830\r\n2145B398927E056AFEA963CCEE39D60760F4FD21\r\n2172B67E6E17944C74468634C1BB52269187D633\r\n227198CB1BB02601E6E707892DC50CB9F11D1C62\r\n25E43D900CD7AA89A209F97CC8B1E718B2E98F6B\r\n2B0D9C7D0D9C847822283EBCB7D4E650A5DC8104\r\n2C4B970778D8F4441EB93DA34A279E7A678E370A\r\n2F6320819D541AE804873EA5AD3E93C0B21028F3\r\n2F635862C92A31CE39F87262D77FC022810F40D3\r\n31AE67F632FC6B278BD6D50D298585BF53A844DB\r\n3356BFD26189533E8E77BFC6E59A5ED25F6BE1E2\r\n354D5135660292C9D4DD5C394ECAAC5DC3719D8A\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 8 of 14\n\n37902317F4B751C80C4404F6FC6A831602B9B540\r\n3918E9F79C154F6031DA52A21F1F7477715B28BC\r\n3B0B403BAFC72FD86EEC6474886AA7233083888F\r\n3DD1A7A8533676FD471C69AD39DCEE0FBBE7E1FD\r\n4186AECA8B229B51EFD559E7B839E669374673AD\r\n426D064FDBB9AFB694F67F37942BBBD0C2E4AD69\r\n42C4F415580B0EB17E139E92A2DA111BF6CCAF7F\r\n446C3F1EFB3A44FEA98F23AEBBC925DD0C330BE6\r\n4596E0D116A511E204A57877538EA26D174E269E\r\n46D398B78C2DFF0118100B6507F049E867E5195F\r\n4709995AC0FB5F32129AAD235755A8BEB9B355ED\r\n47918740BA72FD3857F209069D6674AF8EFD411B\r\n49A56E7A0BCF3538555078BFFA7DDBB60ADF0DDE\r\n4C3D825798056EEF7E3FE33BDA777F9E70D4E7D4\r\n4F4781B24879DF51652DF3FB24F156F76F78B376\r\n4F6E7EA69CD44E5065EAD8655BC4105375D33A06\r\n5B96C0349C07D6B37F1D3EC9F792CB5848FC48C6\r\n5CD88B03821C3B84D7397D166233A15C0041B38B\r\n5D93972D0352DF08DC06FF5AF120B328654B272F\r\n5E7BEB4E8A35B234D263DDE0AED33C6C9A0D1D57\r\n60CA70EDA899EE58AD419F513F5FB279B89C87A4\r\n60D3445A6A15C8396356AC6F9807965A8E7BFA67\r\n60F638CAD3116DB2FE580C31800A66836D534986\r\n64FC3A6B5F0FA745D66DC66ED2FBC75A7C71C747\r\n660C360B3DF4354FDAFA6454B7E19588FFE296E1\r\n6D90CC4FF3A7F91FDFD904E73CDE3351F14EA828\r\n6FC19EB46CAFC1A18F99119EB7353DE116F1BDFD\r\n718957E417194A6EBD3B55C77AB3EB405E30257B\r\n734F33BCDBF062DDEA90B2B89AF5DC4F0B292594\r\n7688C3DCD43605BDC5E3AED03F6D87E18AEAC9AC\r\n779366C5B356383A2286441EB84140C13000510C\r\n7CD7334FC7CE9701A7C4FE091CC3EC01D07363D9\r\n7DF8023457D50FF9F66CDB4C914206A163BD1713\r\n7F95715B0BF80B7BBECC757D613084D76334101C\r\n830F1387DFEC3D7F8D5678EED8A7C45C76B5DBE6\r\n8368E9DEAE2F880D37232E57240CA893472C8BD3\r\n8AFECBF940273C979D01856E1332EFF6EFE24D09\r\n900E1C9666EECACA47DD59D908EED5480CF92953\r\n9166AB0420C9223F23AC5C4EC5503F75505E5770\r\n94D723C409EF4C4308113F3DBB3CB7E1084C3E12\r\n966B722D6180AC774CFF51CFD20A1C1B966E3F43\r\n98826BC207F1914867572561B4E0643DBE8FD8E4\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 9 of 14\n\n9DD65F76AAF739AEF7EB9D4601ED366B3B48B121\r\n9E6E772E41F452ED695310BCFA2B88429F12100A\r\n9EDA0E8C2F0EDE283DC1457E4967002BDF3D376F\r\nA9A0A33466B54A5617F986F6B160E10C5B8D81DA\r\nAEF7725E9B945C7BCCCD7A23B1C1C1E40EEAC774\r\nB052FC4D36F40C225397127EFB31628E8B96DC48\r\nB563B60ED58C99199CCAB44496F858A5D42E54E7\r\nB56A6FB4EC95793407752294782EF914EF497C8F\r\nB57736D4F14F4E157D23C14E627A817A03C2DE24\r\nB703848F4BC390E3E9516E3E4C746AD7C616FF96\r\nB8F46453C1E5C03DAD1C07AB8705BE3E4F4224D2\r\nBB7438119A8A2F79CF06BDAA14D8CACA57E05B17\r\nBB89551AA131832395B1589C0E25D3F013A22A24\r\nBCD2027681DD5628F0741B79B1D7C2AC4573D8E2\r\nBD3859586D4C1701498EEFD05BB2E016848CE95D\r\nBF42743314770340DDB5C80F22F39C6E07F74252\r\nBFCB367868E4CFBA880E41B37241E089382F424C\r\nC0B5CE4D03AED769DCCD5BA2BB5296C7D9F55F68\r\nC13BED8DADA964EBF2A88786715FF83F0A1A8BCA\r\nCBA77FE9FA0759AE0CD073D3B126F73BEB340814\r\nCC98D9E90B7DA6E314434A246653B718ABF72FBB\r\nCD880876565DF58EAFC033C0D207E2B2613F8C0D\r\nCE1B68F65E2CC9A060996E58101B80C907C63377\r\nD1D603E24FD82B6BE32B99A25A86F6CD46F3A8AF\r\nD7423A1F56FFF460031419856FE4F7C557E1A2BF\r\nD8ACB99F04A5EC3E355B947885E02977D6C37AF0\r\nDA6603AC6CB47A3C448CB232EB0116BD62C7B7E4\r\nDD1E3544F8363517556A91EBA40E85EE3638528E\r\nDE5F6E4F559BD9FD716271AA35AFF961DF620B84\r\nDEEC9543303C8211AD2C781F4AA936EFC191F64F\r\nDFF022EC8223676E0D792DD126EE91B0D3059C4C\r\nE22D6F80F0FA05446D3AF7D57EB920BA89DBEE9E\r\nE31ABA7D0BBE49F7E66BD04379BC4837A7C91E46\r\nE3204213E526C6ED3F8BE49D8E493DB5E92EC52A\r\nE51519CF8C9522B4266D7CFC7125AF111DB259E7\r\nE6AB36FE3BBDE63B28BFDF27D8890048FEA1E66D\r\nE95A1D9E57821EBA66B421A587A014EB297DE69F\r\nEA2BB07BB8AD5BFE1F0E92AD7B64D960600924C9\r\nEBB140CDF75386E0FA7746910EB6596323184A7F\r\nEDFA500254F315407783F302E85A27D8C802E4F8\r\nEE8198049EBE16E2BA86163361FE4B5F7768FA2E\r\nF0C6B2DEAB37A6BF78E4DF66FC4DD538F5658F6A\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 10 of 14\n\nF15ED7BE791A2DD2446A7EF5DF748ACB474C0E98\r\nF3DD44C8FC41D466685D8F3B9D3EA59C479230B6\r\nF8353AB3D4D6575FD68BE1ECCF6446A5100925C9\r\nFA22EB25A1FCBD26D5E6B88B464B61BCC4B303C2\r\nFAEE079AABB92B4C887BA3FBEE4D1D63732D72A3\r\nFD37E55481C7941B420950B0979586BDE2BA6B8A\r\nFFD169CBB8E6DC9F1465AC82DDDC4C99AB59C619\r\nVersion 2.4\r\n896FB40BACBF8B51A06AAF49523DE720D1C21D53\r\nA997A5316D4936F70CDF697DF7E65796CE11B607\r\nVersion 2.5\r\n27ED3426EA5DB2843B312E476FFFCF41BA4FDD31\r\nC4074FCC7A600707ADCAF3DD5C0931E6CBF01B48\r\nRegistry values\r\nThe registry key used by GoBotKR is a subkey under [HKCU\\SOFTWARE] with a variable name from a\r\nhardcoded list, mostly mimicking legitimate software names.\r\nThe following registry values are used:\r\nID\r\nINSTALL\r\nNAME\r\nVERSION\r\nREMASTER\r\nLAST\r\nWATCHDOC\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1189 Drive-by Compromise\r\nGoBotKR has been distributed through\r\ntorrent file-sharing websites to South\r\nKorean victims, using games or Korean\r\nmovie/TV series as a lure.\r\nExecution\r\nT1059 Command-Line Interface\r\nGoBotKR uses cmd.exe to execute\r\ncommands.\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 11 of 14\n\nTactic ID Name Description\r\nT1064 Scripting\r\nGoBotKR can download and execute\r\nscripts .\r\nT1204 User Execution\r\nGoBotKR makes their malware look\r\nlike the torrent content that the user\r\nintended to download, in order to entice\r\na user to click on it.\r\nPersistence\r\nT1060\r\nRegistry Run Keys / Startup\r\nFolder\r\nGoBotKR installs itself under registry\r\nrun keys to establish persistence.\r\nT1053 Scheduled Task\r\nGoBotKR schedules a task that adds a\r\nregistry run key to establish malware\r\npersistence.\r\nPrivilege\r\nEscalation\r\nT1088 Bypass User Account Control\r\nGoBotKR attempts to bypass UAC\r\nusing Registry Hijacking.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nGoBotKR has used base64 to obfuscate\r\nstrings, commands and files.\r\nT1089 Disabling Security Tools\r\nGoBotKR may use netsh to add local\r\nfirewall rule exceptions.\r\nT1158 Hidden Files and Directories\r\nGoBotKR stores itself in a file with\r\nHidden and System attributes.\r\nT1070 Indicator Removal on Host\r\nGoBotKR removes the Zone identifier\r\nfrom the ADS (Alternate Data Streams)\r\nof the file, to conceal the fact the file\r\nhas been downloaded from the internet.\r\nT1036 Masquerading\r\nGoBotKR uses filenames and registry\r\nkey names associated with legitimate\r\nsoftware.\r\nT1112 Modify Registry\r\nGoBotKR stores its configuration data\r\nin registry keys.\r\nGoBotKR can modify registry keys to\r\ndisable Task Manager, Registry Editor\r\nand Command Prompt.\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 12 of 14\n\nTactic ID Name Description\r\nT1027 Obfuscated Files or Information\r\nGoBotKR uses base64 to obfuscate\r\nstrings, commands and files.\r\nT1108 Redundant Access\r\nGoBotKR installs a second copy of\r\nitself on the system, which monitors and\r\nreinstalls the primary copy if it has been\r\nremoved.\r\nT1497 Virtualization/Sandbox Evasion\r\nGoBotKR performs several checks on\r\nthe compromised machine to avoid\r\nbeing emulated or executed in a\r\nsandbox.\r\nDiscovery\r\nT1063 Security Software Discovery\r\nGoBotKR checks for processes\r\nassociated with security products and\r\ndebugging tools, and terminates itself if\r\nany are detected. It can enumerate\r\ninstalled antivirus software using the\r\nwmic command.\r\nT1082 System Information Discovery\r\nGoBotKR uses wmic, systeminfo and\r\nver commands to collect information\r\nabout the system and the installed\r\nsoftware.\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nGoBotKR uses netsh and ipconfig to\r\ncollect information about the network\r\nconfiguration. It has used Naver and\r\nDaum portals to obtain the client IP\r\naddress.\r\nT1033 System Owner/User Discovery\r\nGoBotKR uses whoami to obtain\r\ninformation about the victimized user. It\r\nruns tests to determine the privilege\r\nlevel of the compromised user.\r\nT1124 System Time Discovery\r\nGoBotKR can obtain the date and time\r\nof the compromised system.\r\nLateral\r\nMovement\r\nT1105 Remote File Copy GoBotKR attempts to copy itself into\r\npublic folders of cloud storage services\r\n(Google Drive, Dropbox, OneDrive).\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 13 of 14\n\nTactic ID Name Description\r\nIt is also able to spread itself by\r\ninstructing the compromised machine to\r\nseed torrents with the malicious file.\r\nT1091\r\nReplication Through Removable\r\nMedia\r\nGoBotKR can drop itself onto\r\nremovable media and relies on Autorun\r\nto execute the malicious file when a\r\nuser opens the removable media on\r\nanother system.\r\nCollection T1113 Screen Capture\r\nGoBotKR is capable of capturing\r\nscreenshots.\r\nCommand\r\nand Control\r\nT1090 Connection Proxy GoBotKR can be used as a proxy server.\r\nT1132 Data Encoding\r\nThe communication with the C\u0026C\r\nserver is base64 encoded.\r\nT1105 Remote File Copy\r\nGoBotKR can download additional files\r\nand update itself.\r\nT1071\r\nStandard Application Layer\r\nProtocol\r\nGoBotKR uses HTTP or HTTPS for\r\nC\u0026C.\r\nT1065 Uncommonly Used Port\r\nGoBotKR uses non-standard ports, such\r\nas 6446, 6556 and 7777, for C\u0026C.\r\nImpact T1499 Endpoint Denial of Service\r\nGoBotKR has been used to execute\r\nendpoint DDoS attacks – for example,\r\nTCP Flood or SYN Flood.\r\nT1498\r\nNetwork\r\nDenial of\r\nService\r\nGoBotKR has been used to\r\nexecute network DDoS.\r\nT1496\r\nResource\r\nHijacking\r\nGoBotKR can use the\r\ncompromised computer’s\r\nnetwork bandwidth to seed\r\ntorrents or execute DDoS.\r\nSource: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nhttps://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/"
	],
	"report_names": [
		"south-korean-users-backdoor-torrents"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434340,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a60e3337bd43c8a524a041206a0789b1a8ae6193.pdf",
		"text": "https://archive.orkl.eu/a60e3337bd43c8a524a041206a0789b1a8ae6193.txt",
		"img": "https://archive.orkl.eu/a60e3337bd43c8a524a041206a0789b1a8ae6193.jpg"
	}
}