GoBear
GoBear is a Go-based backdoor linked by S2W Talon to Kimsuky’s SeedpuNK subgroup, a North Korean intrusion cluster associated with AppleSeed-related activity. It was first discovered on 2023-12-12 and was identified alongside other related malware including AlphaSeed, BetaSeed, and Troll Stealer. GoBear supports persistence, command execution, file upload and download, TCP connection handling, victim information gathering, self-deletion, and SOCKS proxy management; reporting also specifically notes SOCKS5 proxy functionality. The malware has been observed installed through droppers masquerading as legitimate signed software installers, and it uses stolen legitimate code-signing certificates for defense evasion. AlphaSeed, Troll Stealer, and GoBear were all protected with VMProtect, and AlphaSeed and GoBear were also packed with UPX. A Linux variant of GoBear has also been reported; Symantec refers to that variant as Gomir. The Linux variant used IP address 216.189.159[.]34, which had previously been used by an AppleSeed dropper sample. The broader activity is associated with targeting that includes South Korean government and public-sector-related environments, consistent with Kimsuky operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
S2W Talon has named these malware samples BetaSeed (backdoor), AlphaSeed (backdoor), GoBear (backdoor) and Troll Stealer, respectively, based on the chronological order of their discovery.
S2W Talon has named these malware samples BetaSeed (backdoor), AlphaSeed (backdoor), GoBear (backdoor) and Troll Stealer, respectively, based on the chronological order of their discovery.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe SGA Solutions installer file is confirmed to be signed with a valid D2innovation Co., LTD certificate.
Initial Access
1 techniqueThe group primarily uses spear-phishing attacks to distribute malware and attempt to take over accounts to harvest data.
Execution
1 techniquePersistence
1 techniquePrivilege Escalation
1 techniqueStealth
5 techniquesDuring the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.
Defense Impairment
1 techniqueThe content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Discovery
1 techniqueUses the systeminfo command to gather system information.
Command and Control
4 techniquesPerforms HTTP communication to exfiltrate the stolen information.
"Aria-body has the ability to use a reverse SOCKS proxy module." / "BADHATCH can use SOCKS4 and SOCKS5 proxies..." / "Neo-reGeorg... establish a SOCKS5 proxy" / "Remcos uses the infected hosts as SOCKS5 proxies"
This campaign employed novel techniques, such as disguising malware as installation files for South Korea’s electronic document security programs in order to steal from the GPKI folder, used by government administrative and public institutions in South Korea, and exploiting the SOCKS5 protocol.
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
Exfiltration
1 techniqueTroll Stealer exfiltrates stolen information to a hard-coded C&C server within the malware.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
GoBear uses stolen legitimate code-signing certificates to evade detection.
GoBear is installed through droppers masquerading as legitimate, signed software installers.
Malware implementing SOCKS5 proxy functionality.
Tool/malware implementing SOCKS5 proxy functionality.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.