Symantec warns that the North Korea-linked Kimsuky APT group has utilized a new Linux backdoor named Gomir in a recent cyber espionage campaign targeting organizations in South Korea. The malware, a version of the GoBear backdoor, was delivered through Trojanized software installation packages. Kimsuky, also known as Springtail or Black Banshee, has a history of targeting think tanks and organizations primarily in South Korea but has also been reported to have victims in the United States, Europe, and Russia
The group was particularly active in 2023, focusing on nuclear agendas related to the conflict between Russia and Ukraine. Troll Stealer, another malware spotted in the campaign, was observed stealing files, screenshots, browser data, and system information and had code overlap with earlier Kimsuky malware. The presence of GPKI-infrastructure-stealing capabilities indicates that state agencies were among the targets of this APT group. https://securityaffairs.com/163364/apt/kimsuky-new-linux-backdoor.html