{ "id": "6358f7c9-1d65-414d-bd01-0c2bec0f1760", "created_at": "2026-04-06T00:15:21.046174Z", "updated_at": "2026-04-10T03:37:40.907612Z", "deleted_at": null, "sha1_hash": "e8feee3a8be0dcffa6430a826b5193269142b10f", "title": "Springtail: New Linux Backdoor Added to Toolkit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65663, "plain_text": "Springtail: New Linux Backdoor Added to Toolkit\r\nBy About the Author\r\nArchived: 2026-04-05 15:34:26 UTC\r\nSymantec’s Threat Hunter Team has uncovered a new Linux backdoor developed by the North Korean Springtail\r\nespionage group (aka Kimsuky) that is linked to malware used in a recent campaign against organizations in South\r\nKorea. \r\nThe backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent\r\nSpringtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir\r\nis structurally almost identical to GoBear, with extensive sharing of code between malware variants.\r\nBackground\r\nSpringtail is a tight-knit espionage group that initially specialized in attacks on public sector organizations in\r\nSouth Korea. The group first came to public attention in 2014, when the South Korean government said it was\r\nresponsible for an attack on Korea Hydro and Nuclear Power (KHNP). Multiple employees at KHNP were\r\ntargeted with spear-phishing emails containing exploits that installed disk-wiping malware on their machines. The\r\nU.S. government has said that the group is a unit of North Korea’s military intelligence organization, the\r\nReconnaissance General Bureau (RGB). \r\nThe group was the subject of a U.S. government alert in recent days due to attempts to exploit improperly\r\nconfigured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies\r\nto conceal social engineering attempts. According to a joint advisory issued by the Federal Bureau of Investigation\r\n(FBI), the U.S. Department of State, and the National Security Agency (NSA), the group has been mounting spear\r\nphishing campaigns pretending to be journalists, academics, and experts in East Asian affairs “with credible links\r\nto North Korean policy circles”.\r\nTrojanized software packages\r\nThe campaign, which was first documented by South Korean security firm S2W in February 2024, saw Springtail\r\ndeliver a new malware family named Troll Stealer using Trojanized software installation packages. Troll Stealer\r\ncan steal a range of information from infected computers including files, screenshots, browser data, and system\r\ninformation. Written in Go, like many newer Springtail malware families, Troll Stealer contained a large amount\r\nof code overlap with earlier Springtail malware.\r\nTroll Stealer’s functionality included the ability to copy the GPKI (Government Public Key Infrastructure) folder\r\non infected computers. GPKI is the public key infrastructure schema for South Korean government personnel and\r\nstate organizations, suggesting that government agencies were among the targets of the campaign.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\r\nPage 1 of 5\n\nS2W reported that the malware was distributed inside installation packages for TrustPKI and NX_PRNMAN,\r\nsoftware developed by SGA Solutions. The installation packages were reportedly downloaded from a page that\r\nwas redirected from a specific website. \r\nSouth Korean security firm AhnLab subsequently provided further details on the downloads, saying they\r\noriginated from the website of an association in the construction sector. The website required users to log in and\r\nthe affected packages were among those users had to install to do so. \r\nSymantec has since discovered that Troll Stealer was also delivered in Trojanized Installation packages for\r\nWizvera VeraPort. It is unclear how these installation packages were delivered during the current campaign.\r\nWizvera VeraPort was previously reported to have been compromised in a North Korea-linked software supply\r\nchain attack in 2020.\r\nTroll Stealer and GoBear\r\nTroll Stealer appears to be related to another recently discovered Go-based backdoor named GoBear. Both threats\r\nare signed with a legitimate certificate issued to “D2innovation Co.,LTD”. GoBear also contains similar function\r\nnames to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats\r\nhave a common origin. \r\nAhnLab later explicitly linked the two threats, saying that many of the malicious installers it had analyzed\r\ncontained both Troll Stealer and either of the GoBear or BetaSeed backdoors, which it referred to as the Endoor\r\nmalware family.\r\nSeveral weeks later, GoBear was being distributed by a dropper masquerading as an installer for an app for a\r\nKorean transport organization. In this case, the attackers did not Trojanize a legitimate software package but\r\ninstead disguised the dropper as an installer featuring the organization’s logos. The dropper was signed with what\r\nappeared to be a stolen certificate.\r\nGomir backdoor\r\nSymantec’s investigation into the attacks uncovered a Linux version of this malware family (Linux.Gomir) which\r\nis structurally almost identical and shares an extensive amount of distinct code with the Windows Go-based\r\nbackdoor GoBear. Any functionality from GoBear that is operating system-dependent is either missing or\r\nreimplemented in Gomir. \r\nWhen executed, it checks its command line and if contains the string “install” as its only argument, it will attempt\r\nto install itself with persistence. \r\nTo determine how it installs itself, Gomir checks the effective group ID (as reported by the getegid32() syscall) of\r\nits own process. If the process is running as group 0, Gomir assumes that it is running with superuser privileges\r\nand attempts to copy itself as the following file:\r\n/var/log/syslogd\r\nIt then attempts to create a systemd service with the name \"syslogd\" by creating the file:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\r\nPage 2 of 5\n\n/etc/systemd/system/syslogd.service\r\nThe file contains:\r\n[Unit]\r\nAfter=network.target\r\nDescription=syslogd\r\n[Service]\r\nExecStart=/bin/sh -c \"/var/log/syslogd\"\r\nRestart=always\r\n[Install]\r\nWantedBy=multi-user.target\r\nGomir will then enable and start the created service by executing the following sequence of commands:\r\n${SHELL} -c systemctl daemon-reload\r\n${SHELL} -c systemctl reenable syslogd\r\n${SHELL} -c systemctl start syslogd\r\nIt will then delete the original executable and terminate the original process.\r\nIf the process is running as any group other than 0, Gomir attempts to configure a crontab to start the backdoor on\r\nevery reboot. It first creates a helper file (cron.txt) in the current working directory with the following content:\r\n@reboot [PATHNAME_OF_THE_EXECUTING_PROCESS]\r\nNext, it seems to attempt to list any pre-existing crontab entries by running the following command:\r\n/bin/sh -c crontab -l\r\nIt appends the output to the created helper file. \r\nGomir then updates the crontab configuration by executing the following command:\r\n${SHELL} -c crontab cron.txt\r\nGomir then deletes the helper file before executing itself without any command-line parameters.\r\nOnce installed and running, Gomir periodically communicates with its command-and-control (C\u0026C) server by\r\nsending HTTP POST requests to: http://216.189.159[.]34/mir/index.php\r\nWhen pooling for commands to execute, Gomir requests with the following HTTP request body:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\r\nPage 3 of 5\n\na[9_RANDOM_ALPHANUMERIC_CHARACTERS]=2\u0026b[9_RANDOM_ALPHANUMERIC_CHARACTERS]=\r\n[INFECTION_ID]1\u0026c[9_RANDOM_ALPHANUMERIC_CHARACTERS]=\r\nThe INFECTION_ID is generated using the following method:\r\ndef generate_infection_id(hostname, username):\r\n hexdigest = hashlib.md5(hostname + username).hexdigest()\r\n return \"g-\" + hexdigest[:10]\r\nThe expected body of the HTTP server response is a string starting with the letter S. Gomir then attempts to\r\ndecode the remaining characters of the string using the Base64 algorithm. The decoded blob has the following\r\nstructure:\r\nGomir then uses a custom encryption algorithm to decrypt the previously discussed command.\r\nThe first two characters of the command identify the operation to execute. Gomir allows the execution of 17\r\ndifferent commands. The commands are almost identical to those supported by the GoBear Windows backdoor: \r\nHeavy focus on supply chain attacks\r\nThis latest Springtail campaign provides further evidence that software installation packages and updates are now\r\namong the most favored infection vectors for North Korean espionage actors. Variations of this tactic include:\r\nSoftware supply chain attacks\r\nTrojanized software installers\r\nFake software installers\r\nThe most notable example to date is the 3CX supply chain attack, which itself was the result of the\r\nearlier X_Trader supply chain attack. Springtail, meanwhile, has focused on Trojanized software installers hosted\r\non third-party sites requiring their installation or masquerading as official apps. The software targeted appears to\r\nhave been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\n30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213 – Linux.Gomir\r\n7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0 – GoBear Dropper\r\nd7f3ecd8939ae8b170b641448ff12ade2163baad05ca6595547f8794b5ad013b – Troll Stealer\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\r\nPage 4 of 5\n\n36ea1b317b46c55ed01dd860131a7f6a216de71958520d7d558711e13693c9dc – Troll Stealer\r\n8e45daace21f135b54c515dbd5cf6e0bd28ae2515b9d724ad2d01a4bf10f93bd – Troll Stealer\r\n6c2a8e2bbe4ebf1fb6967a34211281959484032af1d620cbab390e89f739c339 – Troll Stealer\r\n47d084e54d15d5d313f09f5b5fcdea0c9273dcddd9a564e154e222343f697822 – Troll Stealer\r\n8a80b6bd452547650b3e61b2cc301d525de139a740aac9b0da2150ffac986be4 - Troll Stealer \r\n380ec7396cc67cf1134f8e8cda906b67c70aa5c818273b1db758f0757b955d81  – Troll Stealer\r\nff945b3565f63cef7bb214a93c623688759ee2805a8c574f00237660b1c4d3fd – Troll Stealer\r\ncc7a123d08a3558370a32427c8a5d15a4be98fb1b754349d1e0e48f0f4cb6bfc  – Troll Stealer\r\n8898b6b3e2b7551edcceffbef2557b99bdf4d99533411cc90390eeb278d11ac8 – Troll Stealer\r\necab00f86a6c3adb5f4d5b16da56e16f8e742adfb82235c505d3976c06c74e20 – Troll Stealer\r\nd05c50067bd88dae4389e96d7e88b589027f75427104fdb46f8608bbcf89edb4 – Troll Stealer\r\na98c017d1b9a18195411d22b44dbe65d5f4a9e181c81ea2168794950dc4cbd3c – Troll Stealer\r\n831f27eb18caf672d43a5a80590df130b0d3d9e7d08e333b0f710b95f2cde0e0 – Troll Stealer\r\nbc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d – Troll Stealer\r\n5068ead78c226893df638a188fbe7222b99618b7889759e0725d85497f533e98 – Troll Stealer\r\n216.189.159[.]34\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage" ], "report_names": [ "springtail-kimsuky-backdoor-espionage" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434521, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e8feee3a8be0dcffa6430a826b5193269142b10f.pdf", "text": "https://archive.orkl.eu/e8feee3a8be0dcffa6430a826b5193269142b10f.txt", "img": "https://archive.orkl.eu/e8feee3a8be0dcffa6430a826b5193269142b10f.jpg" } }