S1198: Gomir
Analyst context for executives and security teams
Gomir matters because it is a Linux backdoor documented by ATT&CK as a variant of the Go-based GoBear malware and associated through ATT&CK relationships with Kimsuky operations. For leaders, the decision point is not just “do we know this malware name,” but whether Linux servers and workloads have enough visibility to confirm persistence, discovery, command execution, and encrypted web-based command-and-control behaviors.
Executive priority
Prioritize this as a Linux visibility and response-readiness issue. ATT&CK maps Gomir to behaviors that can support persistence through cron or systemd, internal discovery, file deletion, shell execution, and command-and-control over web and encrypted channels. Executives should ask whether critical Linux systems, including business applications and infrastructure services, produce audit-ready evidence for these behaviors and whether incident responders can isolate, investigate, and recover those hosts without relying only on network perimeter alerts.
Technical view
SOC and IR teams should validate coverage around the related ATT&CK techniques: cron and systemd persistence, Unix shell execution, local group/system/network/file discovery, file deletion, internal proxy behavior, and C2 using web protocols, standard encoding, and encrypted or asymmetric channels. Because ATT&CK provides no dedicated detection text for Gomir, detection engineering should be behavior-led rather than name-led, using Linux host telemetry and network telemetry to correlate suspicious service or scheduled task changes with discovery commands and unusual outbound or internal proxy-like traffic.
Likely telemetry
- Linux process execution and command-line telemetry, especially shell activity
- Cron configuration and crontab modification records
- Systemd unit file creation, modification, enablement, and service start events
- Linux authentication, user, group, and privilege-related logs
- File creation, modification, and deletion telemetry for sensitive paths and staging locations
Detection direction
- Do not depend on a Gomir-specific signature alone; ATT&CK did not provide official detection guidance for this object.
- Correlate new or modified cron/systemd persistence with nearby shell execution and discovery activity such as system, network, file, directory, remote host, or local group enumeration.
- Review Linux hosts that generate unusual web-protocol traffic, encrypted C2-like sessions, or encoded payload patterns, especially when paired with host discovery or persistence changes.
- Tune for administrative false positives: cron, systemd, shell scripts, and discovery commands are common in Linux operations, so detections should include user, parent process, path, timing, and change-management context.
- Assess blind spots on servers where EDR, auditd, process command-line logging, DNS logging, or egress monitoring is absent or inconsistent.
Mitigation priorities
- Establish baseline and change control for cron jobs, systemd services, privileged scripts, and service accounts on Linux systems.
- Limit unnecessary outbound connectivity from Linux servers and monitor allowed web-protocol egress for anomalous destinations or patterns.
- Harden administrative access and local privilege boundaries so discovery of local groups or system configuration does not easily enable follow-on activity.
- Preserve investigation evidence by centralizing Linux logs and file/process telemetry, since related behavior includes file deletion.
- Prepare IR playbooks for Linux backdoor scenarios: isolate affected hosts, collect volatile process/network/service state, review persistence mechanisms, and validate recovery from trusted sources.
Analyst notes and limits
This take is based on the ATT&CK S1198 Gomir object, its description, the Symantec external reference, and ATT&CK relationships showing use of specific techniques. The relationship to Kimsuky is included because it is supplied by ATT&CK, but local risk should be assessed against the organization’s Linux exposure, sector relevance, and telemetry maturity.
ATT&CK provides no official Gomir detection text, no aliases, and no malware-specific tactics on the object itself. The guidance therefore relies on supplied technique relationships and should be validated against local Linux distributions, logging architecture, normal administrative workflows, and network egress patterns.
Gomir
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573 | Encrypted Channel | Gomir uses a custom encryption algorithm for content sent to command and control infrastructure.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1543.002 | Systemd Service Sub-technique | Gomir creates a systemd service named `syslogd` for persistence.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1018 | Remote System Discovery | Gomir probes arbitrary network endpoints for TCP connectivity.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Gomir uses Base64-encoded content in HTTP communications to command and control infrastructure.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1053.003 | Cron Sub-technique | Gomir will configure a crontab for process execution to start the backdoor on reboot if it is not initially running under group 0 privileges.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Gomir reads command line arguments and parses them for functionality when executed from a Linux shell, and can execute arbitrary strings passed to it as shell commands.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Gomir periodically communicates to its command and control infrastructure through HTTP POST requests.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Gomir can start a reverse proxy to initiate connections to arbitrary endpoints in victim networks.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1083 | File and Directory Discovery | Gomir collects information about directory and file structures, including total number of subdirectories, total number of files, and total size of files on infected systems.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | Gomir collects network information on infected systems such as listing interface names, MAC and IP addresses, and IPv6 addresses.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1082 | System Information Discovery | Gomir collects information on infected systems such as hostname, username, CPU, and RAM information.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1069.001 | Local Groups Sub-technique | Gomir checks the effective group ID of its process when initially executed to determine if it is in group 0, denoting superuser privileges in Linux environments.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Gomir deletes its original executable and terminates its original process after creating a systemd service.CitationSymantec Troll Stealer 2024 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Gomir uses reverse proxy functionality that employs SSL to encrypt communications.CitationSymantec Troll Stealer 2024 |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 577b5ada0b0c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Troll Stealer 2024
Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
Open source URL -
[2]
mitre-attack S1198Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.