MalwareUsed by 2 actors

GoBear

GoBear is a Go-based backdoor linked by S2W Talon to Kimsuky’s SeedpuNK subgroup, a North Korean intrusion cluster associated with AppleSeed-related activity. It was first discovered on 2023-12-12 and was identified alongside other related malware including AlphaSeed, BetaSeed, and Troll Stealer. GoBear supports persistence, command execution, file upload and download, TCP connection handling, victim information gathering, self-deletion, and SOCKS proxy management; reporting also specifically notes SOCKS5 proxy functionality. The malware has been observed installed through droppers masquerading as legitimate signed software installers, and it uses stolen legitimate code-signing certificates for defense evasion. AlphaSeed, Troll Stealer, and GoBear were all protected with VMProtect, and AlphaSeed and GoBear were also packed with UPX. A Linux variant of GoBear has also been reported; Symantec refers to that variant as Gomir. The Linux variant used IP address 216.189.159[.]34, which had previously been used by an AppleSeed dropper sample. The broader activity is associated with targeting that includes South Korean government and public-sector-related environments, consistent with Kimsuky operations.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Kimsuky

S2W Talon has named these malware samples BetaSeed (backdoor), AlphaSeed (backdoor), GoBear (backdoor) and Troll Stealer, respectively, based on the chronological order of their discovery.

via virusbulletinvirusbulletin.com

SeedpuNK

S2W Talon has named these malware samples BetaSeed (backdoor), AlphaSeed (backdoor), GoBear (backdoor) and Troll Stealer, respectively, based on the chronological order of their discovery.

via virusbulletinvirusbulletin.com

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1588.004Digital CertificatesEvidence1

TacticResource Development

The SGA Solutions installer file is confirmed to be signed with a valid D2innovation Co., LTD certificate.

Initial Access

1 technique

T1566PhishingEvidence1

TacticInitial Access

The group primarily uses spear-phishing attacks to distribute malware and attempt to take over accounts to harvest data.

Execution

1 technique

T1053Scheduled Task/JobEvidence1

TacticsExecution Persistence Privilege Escalation

The currently running file is copied with the name ‘svchost.exe’, and registered in the scheduler. • Command: schtasks /create /tn “Windows Update” /tr “C:\Users\user\svchost.exe UpdateNormal” /sc minute /mo 15 f

Persistence

1 technique

T1053Scheduled Task/JobEvidence1

TacticsExecution Persistence Privilege Escalation

Privilege Escalation

1 technique

T1053Scheduled Task/JobEvidence1

TacticsExecution Persistence Privilege Escalation

Stealth

5 techniques

T1027.002Software PackingEvidence1

TacticStealth

The malware is packed with VMProtector.

T1036MasqueradingEvidence2

TacticStealth

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

T1036.003Rename Legitimate UtilitiesEvidence1

TacticStealth

Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.

T1036.005Match Legitimate Resource Name or LocationEvidence1

TacticStealth

T1218.010Regsvr32Evidence1

TacticStealth

Loads malicious DLL through regsvr32.exe.

Defense Impairment

1 technique

T1553.002Code SigningEvidence2

TacticDefense Impairment

The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.

Discovery

1 technique

T1082System Information DiscoveryEvidence1

TacticDiscovery

Uses the systeminfo command to gather system information.

Command and Control

4 techniques

T1071.001Web ProtocolsEvidence1

TacticCommand and Control

Performs HTTP communication to exfiltrate the stolen information.

T1090ProxyEvidence2

TacticCommand and Control

"Aria-body has the ability to use a reverse SOCKS proxy module." / "BADHATCH can use SOCKS4 and SOCKS5 proxies..." / "Neo-reGeorg... establish a SOCKS5 proxy" / "Remcos uses the infected hosts as SOCKS5 proxies"

T1090.003Multi-hop ProxyEvidence1

TacticCommand and Control

This campaign employed novel techniques, such as disguising malware as installation files for South Korea’s electronic document security programs in order to steal from the GPKI folder, used by government administrative and public institutions in South Korea, and exploiting the SOCKS5 protocol.

T1090.004Domain FrontingEvidence1

TacticCommand and Control

Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

TacticExfiltration

Troll Stealer exfiltrates stolen information to a hard-coded C&C server within the malware.

INDICATORS OF COMPROMISE

IOCs tracked for this family

6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app—

hash.md5●●●●●●●●●●●●View more in app—

uri●●●●●●●●●●●●View more in app—

hash.sha256●●●●●●●●●●●●View more in app—

ip.v4●●●●●●●●●●●●View more in app—

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

mitre attack websiteNews

Mar 8, 2018

Subvert Trust Controls: Code Signing, Sub-technique T1553.002 - Enterprise | MITRE ATT&CK®

GoBear uses stolen legitimate code-signing certificates to evade detection.

mitre attackNews

Mar 18, 2026

Masquerading: Match Legitimate Resource Name or Location, Sub-technique T1036.005 - Enterprise | MITRE ATT&CK®

GoBear is installed through droppers masquerading as legitimate, signed software installers.

mitre attackNews

Mar 18, 2026

Proxy, Technique T1090 - Enterprise | MITRE ATT&CK®

Malware implementing SOCKS5 proxy functionality.

mitre attack websiteNews

Mar 18, 2026

Proxy, Technique T1090 - Enterprise | MITRE ATT&CK®

Tool/malware implementing SOCKS5 proxy functionality.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching6

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.