Springtail: New Linux Backdoor Added to Toolkit

Symantec’s Threat Hunter Team has uncovered a new Linux backdoor developed by the North Korean Springtail espionage group (aka Kimsuky) that is linked to malware used in a recent campaign against organizations in South Korea.

The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants.

Read more…
Source: Symantec

Sign up for our Newsletter


  • Apple alerts users in 92 nations to mercenary spyware attacks

    April 11, 2024

    Apple sent threat notifications to iPhone users in 92 countries on Wednesday, warning them that may have been targeted by mercenary spyware attacks. The company sent the alerts to individuals in 92 nations at 12pm Pacific Time Wednesday. It did not disclose the attackers’ identities or the countries where users received notifications. “Apple detected that you ...

  • LazyStealer: Sophisticated does not mean better

    April 4, 2024

    In the first quarter of 2024, researchers from Positive Technologies Expert Security Center (PT ESC) detected a series of attacks targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. The research team could not find any links to known groups that used the same techniques. The main goal of the attack was stealing ...

  • Why the threat of a ‘nightmare’ Chinese supercomputer just got a step closer

    April 4, 2024

    A cyber security official at the US State Department had noticed something unusual. An internal IT security system, nicknamed “Big Yellow Taxi”, had flagged unusual activity on its corporate Microsoft account. The tech team quickly raised its concerns to Microsoft, hopeful that the alert was just a false positive. What rapidly emerged, however, was that a ...

  • Cloud Werewolf spearphishes Russian and Belarus government employees with fake spa vouchers and federal decrees

    March 29, 2024

    The BI.ZONE Threat Intelligence team has revealed another campaign by Cloud Werewolf aiming at Russian and Belarusian government organizations. According to the researchers, the group ran at least five attacks in February and March. The adversaries continue to rely on phishing emails with Microsoft Office attachments. Placing malicious content on a remote server and limiting the ...

  • Chinese hackers targeted UK’s Electoral Commission and politicians, say security services

    March 25, 2024

    Chinese state-backed hackers were responsible for two “malicious” digital campaigns targeting the UK’s democratic institutions and politicians, the security services have found. The UK holds China responsible for a prolonged cyber-attack on the Electoral Commission during which Beijing allegedly accessed the personal details of about 40 million voters. Two individuals and a front company linked to ...

  • APT29 Uses WINELOADER to Target German Political Parties

    March 22, 2024

    In late February 2024, Mandiant identified APT29 — a Russian Federation backed threat group linked by multiple governments to Russia’s Foreign Intelligence Service (SVR) — conducting a phishing campaign targeting German political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged APT29’s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor ...