S1197: GoBear
Analyst context for executives and security teams
GoBear matters because ATT&CK describes it as a Windows, Go-based backdoor that abuses legitimate stolen certificates for defense evasion and is linked by ATT&CK to Kimsuky operations. For leaders, the key issue is not just malware presence; it is whether trust decisions around signed code, executable naming/location, and outbound proxy-like communications are strong enough to withstand malware that may appear legitimate at first glance.
Executive priority
Prioritize GoBear as a validation case for endpoint trust, certificate governance, and SOC readiness. Executives should ask whether signed binaries are still inspected, whether certificate abuse can be investigated quickly, and whether incident responders can correlate endpoint execution with suspicious command-and-control proxy behavior. This is especially relevant for organizations using code-signing trust as compliance or allowlisting evidence, because a valid-looking signature alone may not prove software is safe.
Technical view
ATT&CK provides no dedicated detection text for GoBear, so defenders should validate coverage through the mapped behaviors: T1553.002 Code Signing, T1036.005 Match Legitimate Resource Name or Location, and T1090 Proxy. On Windows, SOC teams should test whether endpoint telemetry records executable metadata, signer and certificate details, file path and naming anomalies, process lineage, and network connections that may indicate proxy-mediated command-and-control. IR teams should be prepared to preserve binaries, certificate chains, file locations, process trees, and network evidence before relying on signature reputation.
Likely telemetry
- Windows endpoint process creation and parent/child process telemetry
- File creation, modification, path, and executable metadata
- Code-signing, signer, certificate chain, and certificate reputation details
- Endpoint security alerts involving signed but suspicious binaries
- Network connection logs, proxy logs, firewall logs, and DNS records
Detection direction
- Do not treat signed code as inherently benign; tune detections to inspect certificate context, signer anomalies, and signed executables behaving unexpectedly.
- Validate monitoring for binaries placed or named to resemble legitimate resources, especially when execution path, parent process, or behavior is unusual.
- Correlate Windows process execution with outbound network activity that may indicate proxy use or indirect command-and-control.
- Expect false positives from legitimate signed software and enterprise proxy use; reduce noise with baselines for approved signers, expected install paths, and normal network destinations.
- Use the Kimsuky relationship as threat-intelligence context for prioritization, not as proof of local attribution without environment-specific evidence.
Mitigation priorities
- Maintain inventory and governance for trusted certificates and approved signed software.
- Require behavioral inspection of signed executables rather than relying only on signature validity.
- Harden application control or allowlisting policies with path, signer, and behavior context where feasible.
- Centralize endpoint, certificate, proxy, DNS, and firewall logs so IR can reconstruct execution and communications.
- Review incident response playbooks for handling suspected certificate abuse, including evidence preservation and revocation/escalation workflows.
Analyst notes and limits
This take is based on ATT&CK S1197 GoBear, its official description, external references, and relationships showing use by G0094 Kimsuky and use of T1036.005, T1090, and T1553.002. The strongest decision value is validating whether defensive programs can detect malicious behavior that may be hidden behind legitimate-looking code signing and naming/location choices.
ATT&CK provides no GoBear-specific detection guidance, aliases, labels, or tactics for the malware object. The object platform is Windows, while some related techniques list broader platforms; this summary does not extend GoBear coverage beyond Windows. Local telemetry, baselines, and incident evidence are required before making exposure, detection, or attribution conclusions.
GoBear
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090 | Proxy | GoBear implements SOCKS5 proxy functionality.CitationS2W Troll Stealer 2024 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | GoBear is installed through droppers masquerading as legitimate, signed software installers.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1553.002 | Code Signing Sub-technique | GoBear uses stolen legitimate code signing certificates for defense evasion.CitationS2W Troll Stealer 2024CitationSymantec Troll Stealer 2024 |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6bea5994e0a3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
S2W Troll Stealer 2024
Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
Open source URL -
[2]
Symantec Troll Stealer 2024
Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
Open source URL -
[3]
mitre-attack S1197Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.