Kimsuky’s New Golang Stealers ‘Troll’ and ‘GoBear’ Backdoor Target South Korea

February 08, 2024NewsroomCyber ​​Espionage / Malware

Goal Stealer

The nation-state actor linked to North Korea known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer.

The malware steals “SSH, FileZilla, C drive files/directories, browsers, system information, (and) screen captures” from infected systems, South Korean cybersecurity company S2W SAYS in a new technical report.

Kimsuky’s Troll Stealer links stem from its similarity to known malware families, such as the AppleSeed and AlphaSeed malware attributed to the group.


Kimsuky, also tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Nickel Kimball, and Velvet Chollima, is well known for its penchant for stealing sensitive, confidential information in offensive operations in cyber.

As of late November 2023, threat actors have been authorized by the US Treasury Department’s Office of Foreign Assets Control (OFAC) for intelligence gathering to further North Korea’s strategic objectives.

The adversarial collective, in recent months, has been accused of spear-phishing attacks targeting South Korean entities to deliver various backdoors, including AppleSeed and AlphaSeed.

Goal Stealer

The latest S2W analysis revealed the use of a dropper disguised as a security program installation file from a South Korean company named SGA Solutions to launch the stealer, which gets its name from the path “D:/~ /repo/golang/src/root .go/s/troll/agent” that it contains.

“The dropper runs as a legitimate installer alongside the malware, and both the dropper and malware are signed with a valid, legitimate D2Innovation Co.,LTD’ certificate, suggesting that the company’s certificate is in fact stolen,” the company said.

A stand-out feature of Troll Stealer is its ability to retrieve the GPKI folder of infected systems, which raises the possibility that the malware is used in attacks targeting the country’s administrative and public organizations.


Given the absence of Kimsuky campaigns documenting the theft of GPKI folders, it raises the possibility that the new behavior is a transfer of tactics or the work of another threat actor closely associated with the group. also has access to the source code of AppleSeed and AlphaSeed.

There are also indications that the threat actor may be linked to a Go-based backdoor codenamed GoBear that is also signed by a legitimate certificate affiliated with D2Innovation Co., LTD and executes instructions received from in a command-and-control (C2) server.

“The strings contained in the names of the functions it calls were found to overlap with the commands used by BetaSeed, a C++-based backdoor malware used by the Kimsuky group,” S2W said. “It should be noted that GoBear adds SOCKS5 proxy functionality, which was not previously supported by the Kimsuky group’s backdoor malware.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment