The Kimsuky APT group, associated with North Korea's Reconnaissance General Bureau, has deployed the Gomir Linux backdoor in cyber attacks targeting South Korean organizations. The backdoor is structurally similar to GoBear, shares code with known Kimsuky malware families, and is distributed through trojanized security programs. Symantec reports similarities between Gomir and a previous Springtail backdoor, indicating a common origin
Gomir supports 17 commands, enabling remote execution of various operations, and is delivered through fake installers. This campaign underscores North Korean actors' preference for software installation packages as infection vectors, strategically targeting South Korean software to maximize success in espionage activities. https://thehackernews.com/2024/05/kimsuky-apt-deploying-linux-backdoor.html