{ "id": "bff0416f-0de9-4513-b65b-c5d9842f69ed", "created_at": "2026-04-06T00:07:56.252748Z", "updated_at": "2026-04-10T03:37:40.709979Z", "deleted_at": null, "sha1_hash": "bd9dc8be4650cc39996d9aa5c9f65305dd8ab7de", "title": "Breaking Down Linux.Gomir: Understanding this Backdoor’s TTPs | Splunk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3650647, "plain_text": "Breaking Down Linux.Gomir: Understanding this Backdoor’s\r\nTTPs | Splunk\r\nBy Splunk Threat Research Team, Teoderick Contreras\r\nPublished: 2024-07-15 · Archived: 2026-04-05 14:34:58 UTC\r\nA supply chain attack is a prominent \"Initial Access\" tactic employed by malware authors and Advanced Persistent\r\nThreat (APT) groups to gain a foothold on their targeted hosts or systems. This method involves compromising a\r\nthird-party service or software that is trusted by the target, thereby injecting malicious code into legitimate\r\nsoftware updates or distributions.\r\nThis incident underscores the critical importance of securing the software supply chain, as even trusted software\r\ncan become a vector for sophisticated cyber attacks if it is compromised at any point in its distribution or update\r\nprocess.\r\nIn February 2024, S2W researchers and Ahnlab Security Intelligence Center (ASEC) reported a notable campaign\r\nconducted by the Kimsuky group. This APT group exploited supply chain vulnerabilities in various software\r\nsolutions, specifically targeting TrustPKI and NX_PRNMAN. The compromised software packages were\r\nembedded with malicious payloads, including the GoBear backdoor. These embedded malware components\r\nenabled the attackers to infiltrate and compromise targeted hosts, facilitating unauthorized access and control.\r\nIn May 2024, Symantec released a blog uncovering a Linux version of the GoBear backdoor, which they named\r\nLinux.Gomir. This Linux variant shares several similarities in terms of code and behavior with its predecessors.\r\nIn this blog, the Splunk Threat Research Team provides an analysis of Linux.Gomir to help security analysts, blue\r\nteamers and Splunk customers defend against this threat. Below, we will review associated Tactics, Techniques\r\nand Procedures (TTPs); Atomic Tests you can use to simulate Linux.Gomir behaviors; and security content you\r\ncan use to help detect this threat.\r\nLinux.Gomir TTPs\r\nNon-Standard Encoding (T1132.002)\r\nLinux.Gomir generates a unique beacon or infection ID for the compromised host, which it then sends to its\r\nCommand and Control (C2) server. This beacon ID is created by taking the first 10 characters of the MD5 hash\r\nderived from the username and hostname of the infected host. The beacon or infection ID is crucial for the\r\nattackers to uniquely identify and manage the compromised machines within their network. Figure 01 shows\r\nscreenshots of the code that retrieves the username and hostname to generate this beacon ID.\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 1 of 11\n\nFigure 01: Generate Beacon ID\r\nFigure 02 illustrates a simple HTTP POST network traffic instance of this backdoor malware as it communicates\r\nwith its C2 server to request a backdoor command. The HTTP POST request contains a body that includes the\r\ninfection ID generated on the compromised host. This infection ID allows the C2 server to uniquely identify and\r\ninteract with the specific infected machine, ensuring precise command execution.\r\nBelow is the structure of the HTTP POST request body:\r\na\u003e\u003crandom_generated_string\u003e=2\u0026b\u003crandom_generated_string\u003e=g-\u003cbeacon_id\u003e1\u0026c\u003crandom_generated_string\u003e=\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 2 of 11\n\nFigure 02: HTTP POST Request Body\r\nScheduled Task/Job: Cron (T1053.003)\r\nLinux.Gomir includes a parameter named 'Install.' When this parameter is used, the embedded malware\r\ncomponent executes its full range of malicious functions. These functions include generating an infection ID,\r\ndropping a copy of itself, persistence, installing services, and enabling its backdoor capabilities. The service\r\ninstallation and backdoor capabilities facilitate ongoing control and exploitation of the infected system.\r\nFigure 03: “Install” Parameter\r\nFigure 04 illustrates the code snippet demonstrating how Linux.Gomir sets up a crontab entry as part of its\r\npersistence mechanism.\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 3 of 11\n\nFigure 04: Sample of code demonstrating the process to create a crontab entry\r\nThe process begins by creating a file named \"cron.txt\" in the current working directory, which contains an entry\r\npointing to the malware's file path.\r\n@reboot \u003cgomir_process_file_path\u003e\r\nNext, the malware attempts to list all existing crontab entries on the compromised host by executing the following\r\ncommand:\r\n/bin/sh -c crontab -l\r\nThe output of this command, which lists the current crontab entries, is appended to the \"cron.txt\" file. Finally, the\r\nmalware updates the crontab configuration by executing the following crontab command:\r\n/bin/sh -c crontab cron.txt\r\nFigure 05 shows the value of the existing crontab to our test lab after we execute Linux.Gomir with higher\r\nprivilege.\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 4 of 11\n\nFigure 05: list crontab\r\nInstall Services\r\nTo maintain persistence and ensure execution with elevated privileges upon reboot, Linux.Gomir installs itself as a\r\nsystem service. Initially, it copies its executable to the \"/var/log/syslogd\" directory. Following this, it creates a\r\nservice configuration file named \"syslogd.service\" in the \"/etc/systemd/system/\" directory. This service file is\r\nconfigured to point to the copied malware executable in \"/var/log/syslogd,\" effectively setting up the malware to\r\nrun as a system service.\r\nLastly, to make sure that the service will smoothly install on the compromised host, it will enable and start the\r\ncreated service file using the following command:\r\n/bin/sh -c systemctl daemon-reload\r\n/bin/sh -c systemctl reenable syslogd\r\n/bin/sh -c systemctl start syslogd\r\nFigure 06 contains screenshots of the code demonstrating how this malware executes the described technique.\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 5 of 11\n\nFigure 06: Sample of code used to execute the install services technique\r\nFigure 07 shows the content of the .service file created by this malware for the copy of itself named as “syslogd”.\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 6 of 11\n\nFigure 07: Content of .service file\r\nCommand and Control (TA0011)\r\nFinally, the malware executes a function responsible for communicating with its C2 server. Unfortunately, the C2\r\nserver was already down at the time of writing. This function decrypts incoming commands from the server and\r\nencrypts the results of the operations performed on the compromised host.\r\nFigure 08 displays a brief snippet of the function code that processes operations after decoding and decrypting its\r\nbackdoor commands. The shown code snippet pertains to three backdoor operations that retrieve the process's\r\ncurrent working directory, get the directory size and collect system information such as CPU details, memory\r\nstatistics, and network information.\r\nFigure 08: Part of Backdoor Function\r\nBelow are the activities we observed the three backdoor operations execute:\r\nStart reverse proxy client\r\nUpload socket list information to the C2 server\r\nHibernate the Gomir client at a specific date, time, and location\r\nReturn the command path of the Gomir client process\r\nReturn the code page of the Gomir client process\r\nReturn the current file path of the process\r\nReturn the size of the targeted directory from the compromised host\r\nRetrieve system information such as hostname, username, CPU details, memory statistics, and network\r\ninformation (interface, names, addresses)\r\nSet up a TCP connection\r\nKill or exit a process\r\nRetrieve the current working directory of the Gomir client process\r\nChange the current working directory\r\nPut the Gomir client to sleep\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 7 of 11\n\nExecute shell commands\r\nDetecting Linux.Gomir with Splunk Security Content\r\nBy understanding Linux.Gomir’s behaviors, the Splunk Threat Research Team was able to generate telemetry and\r\ndatasets to develop detections designed to help defend and respond against this threat. You can find these\r\ndetections below, and for our full repository of security detections, visit research.splunk.com.\r\nLinux Adding Crontab Using List Parameter\r\nThe following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab\r\ncommand with list parameters. This command line parameter can be abused by adversaries to add a crontab entry\r\nfor executing their malicious code on a schedule of their choice. However, it's important to note that\r\nadministrators or normal users may also use this command for legitimate automation purposes, so filtering is\r\nrequired to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for\r\na SOC, as it indicates potential malicious activity or an attempt to establish persistence on the system.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"crontab\"\r\n Processes.process= \"* -l*\" by Processes.parent_process_name Processes.process_name\r\n Processes.process Processes.process_id Processes.parent_process_id Processes.dest\r\n Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`\r\nFigure 09: Detection for adding Crontab\r\nLinux Service Restarted\r\nThe following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use\r\nof systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly\r\nexecute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform\r\nbackground system functions. However, administrators may also create legitimate services for specific tools or\r\napplications as part of task automation. In such cases, it is recommended to verify the service path of the\r\nregistered script or executable and identify the creator of the service for further validation.\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 8 of 11\n\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Pr\r\n Processes.parent_process_name\r\n Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_g\r\nFigure 10: Detection for Service Restarted\r\nLinux Service Started Or Enabled\r\nThe following analytic detects the creation or enabling of services in Linux platforms, specifically using the\r\nsystemctl or service tool application. This behavior is worth identifying as adversaries may create or modify\r\nservices to execute malicious payloads as part of persistence. Legitimate services created by administrators for\r\nautomation purposes may also trigger this analytic, so it is important to update the filter macros to remove false\r\npositives.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Pr\r\n Processes.vendor_product=\"Microsoft Windows\")\r\n by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Proc\r\nFigure 11: Detection for Service Started/Enable\r\nLinux Service File Created In Systemd Directory\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 9 of 11\n\nThe following analytic is designed to detect suspicious file creation within the “systemd” timer directory on Linux\r\nplatforms. Malicious actors can exploit this feature by embedding a “systemd” service file for persistence on the\r\ntargeted or compromised host.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN\r\n \"*/usr/lib/systemd/system*\",\r\n \"*/run/systemd/system*\", \"*~/.config/systemd/*\",\r\n \"*~/.local/share/systemd/*\",\"*/etc/systemd/user*\",\r\n \"*/lib/systemd/user*\", \"*/usr/lib/systemd/user*\", \"*/run/systemd/user*\") by Filesystem.dest Filesystem.file_c\r\n | `linux_service_file_created_in_systemd_directory_filter`'\r\nFigure 12: Detection for Created Services\r\nAtomic Tests for Simulating Linux.Gomir\r\nAs defenders of our organization, it is essential to test the effectiveness of our defenses, including analytics, XDR,\r\nand antivirus products. This ensures they are properly configured and capable of detecting notable Linux.Gomir\r\nTTPs. In this section, we will guide you through the process of testing your detections using Atomic Red Team.\r\nThese tools will help you validate and fine-tune your security measures to enhance your organization's resilience\r\nagainst threats.\r\nCreate Systemd Service: This test creates a Systemd service and timer then starts and enables the timer.\r\nCron - Replace crontab with referenced file: This test replaces the current user's crontab file with the\r\ncontents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.\r\nCreate Systemd Service file, Enable the service, Modify and Reload the service: This test creates a\r\n“Systemd” service unit file and enables it to autostart on boot. Once the service is created and enabled, it\r\nalso modifies this same service file.\r\nIOC\r\nLearn More\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 10 of 11\n\nThis blog helps security analysts, blue teamers and Splunk customers identify Linux.Gomir malware by enabling\r\nthe community to discover related TTPs used by threat actors and adversaries. You can implement the detections\r\nin this blog using the Enterprise Security Content Updates app or the Splunk Security Essentials app. To view the\r\nSplunk Threat Research Team's complete security content repository, visit research.splunk.com.\r\nContributors\r\nWe would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team\r\nfor their contributions.\r\nSource: https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nhttps://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html" ], "report_names": [ "breaking-down-linux-gomir-understanding-this-backdoors-ttps.html" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434076, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd9dc8be4650cc39996d9aa5c9f65305dd8ab7de.pdf", "text": "https://archive.orkl.eu/bd9dc8be4650cc39996d9aa5c9f65305dd8ab7de.txt", "img": "https://archive.orkl.eu/bd9dc8be4650cc39996d9aa5c9f65305dd8ab7de.jpg" } }