MalwareUsed by 2 actors

BetaSeed

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Kimsuky

S2W Talon has named these malware samples BetaSeed (backdoor), AlphaSeed (backdoor), GoBear (backdoor) and Troll Stealer, respectively, based on the chronological order of their discovery.

via virusbulletinvirusbulletin.com

SeedpuNK

S2W Talon has named these malware samples BetaSeed (backdoor), AlphaSeed (backdoor), GoBear (backdoor) and Troll Stealer, respectively, based on the chronological order of their discovery.

via virusbulletinvirusbulletin.com

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1588.004Digital CertificatesEvidence1

TacticResource Development

The SGA Solutions installer file is confirmed to be signed with a valid D2innovation Co., LTD certificate.

Initial Access

1 technique

T1566PhishingEvidence1

TacticInitial Access

The group primarily uses spear-phishing attacks to distribute malware and attempt to take over accounts to harvest data.

Discovery

1 technique

T1082System Information DiscoveryEvidence1

TacticDiscovery

Uses the systeminfo command to gather system information.

Collection

1 technique

T1005Data from Local SystemEvidence1

TacticCollection

Steals specific files located on the C drive, including SSH and FileZilla data.

Command and Control

1 technique

T1071.001Web ProtocolsEvidence1

TacticCommand and Control

Performs HTTP communication to exfiltrate the stolen information.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

TacticExfiltration

Troll Stealer exfiltrates stolen information to a hard-coded C&C server within the malware.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app—

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

virusbulletinNews

May 26, 2026

C/C++ backdoor associated with SeedpuNK/Kimsuky that performs malicious activities based on commands received from C2. It is discussed mainly as a related malware whose command/function naming overlaps with GoBear.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.