Recent Linux Backdoor Targets Linux Users

Recent Linux Backdoor Targets Linux Users

Recently, cybersecurity researchers at Symantec uncovered a fresh Linux backdoor actively targeting users through installation packages.

All about Linux Backdoor

Symantec revealed a new Linux backdoor dubbed Linux.Gomir, attributed to the Springtail hacking group from North Korea, reportedly linked to recent malware assaults on South Korean targets.

Gomir bears resemblance to the GoBear backdoor found in earlier Springtail campaigns, leveraging Trojanized software.

Springtail, believed to be a tightly knit unit within North Korean military intelligence, has conducted cyber espionage operations previously, such as the 2014 disk wiper attack on Korea Hydro and Nuclear Power.

They recently exploited DMARC policies for social engineering, masquerading as experts on North Korean issues.

The Springtail group initiated a campaign disseminating the new Troll Stealer malware, an information stealer coded in Go, sharing code segments with previous Springtail malware like GoBear or BetaSeed backdoors.

Troll Stealer was spread through Trojanized software installers, including TrustPKI, NX_PRNMAN from SGA Solutions, and Wizvera VeraPort, previously compromised in 2020.

The campaign targeted government agencies by copying GPKI data and exploiting legitimate websites that required a login. Additionally, GoBear was disseminated by posing as an app installer for a Korean transport organization, utilizing a stolen certificate.

Symantec observed Linux.Gomir, a Linux variant of Springtail’s GoBear Windows backdoor, sharing significant code similarities.

If executed with the “install” argument, Gomir checks its privileges by replicating itself to /var/log/syslogd and establishing a persistent systemd service if running as root, or configuring a crontab entry otherwise.

Once installed, it communicates via HTTP POST with its C&C server, transmitting an infection ID after hashing the hostname and username, and receiving Base64-encoded commands.

Gomir’s structure and installation routines are remarkably similar to those of GoBear, underscoring the group’s cross-platform targeting capabilities. Gomir employs custom encryption to decode received commands, ensuring the system can support 17 GoBear-like operations.

This campaign reveals North Korean groups’ inclination towards software supply chain vectors such as Trojanized installers, fake apps, and compromised update channels. Springtail carefully selects popular software among targeted South Korean audiences, Trojanizing them on third-party websites where they must be installed.

The group’s evolving tactics exhibit a sophisticated and targeted approach to cyber espionage operations.


  • 30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213 – Linux.Gomir
  • 7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0 – GoBear Dropper
  • d7f3ecd8939ae8b170b641448ff12ade2163baad05ca6595547f8794b5ad013b – Troll Stealer
  • 36ea1b317b46c55ed01dd860131a7f6a216de71958520d7d558711e13693c9dc – Troll Stealer
  • 8e45daace21f135b54c515dbd5cf6e0bd28ae2515b9d724ad2d01a4bf10f93bd – Troll Stealer
  • 6c2a8e2bbe4ebf1fb6967a34211281959484032af1d620cbab390e89f739c339 – Troll Stealer
  • 47d084e54d15d5d313f09f5b5fcdea0c9273dcddd9a564e154e222343f697822 – Troll Stealer
  • 8a80b6bd452547650b3e61b2cc301d525de139a740aac9b0da2150ffac986be4 – Troll Stealer 
  • 380ec7396cc67cf1134f8e8cda906b67c70aa5c818273b1db758f0757b955d81  – Troll Stealer
  • ff945b3565f63cef7bb214a93c623688759ee2805a8c574f00237660b1c4d3fd – Troll Stealer
  • cc7a123d08a3558370a32427c8a5d15a4be98fb1b754349d1e0e48f0f4cb6bfc  – Troll Stealer
  • 8898b6b3e2b7551edcceffbef2557b99bdf4d99533411cc90390eeb278d11ac8 – Troll Stealer
  • ecab00f86a6c3adb5f4d5b16da56e16f8e742adfb82235c505d3976c06c74e20 – Troll Stealer
  • d05c50067bd88dae4389e96d7e88b589027f75427104fdb46f8608bbcf89edb4 – Troll Stealer
  • a98c017d1b9a18195411d22b44dbe65d5f4a9e181c81ea2168794950dc4cbd3c – Troll Stealer
  • 831f27eb18caf672d43a5a80590df130b0d3d9e7d08e333b0f710b95f2cde0e0 – Troll Stealer
  • bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d – Troll Stealer
  • 5068ead78c226893df638a188fbe7222b99618b7889759e0725d85497f533e98 – Troll Stealer
  • 216.189.159[.]34

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!