Nurilab analyzes Gomir, a Linux variant of the GoBear backdoor linked in the source to Kimsuky activity against South Korean organizations and companies. The malware checks for an "install" command-line argument and root privileges, then persists either as a syslogd service or through cron before deleting its original file. Gomir generates a UID from the username and hostname, talks to http://216.189.159.34/mir/index.php with encrypted and Base64-encoded POST data, and can run shell commands, collect host details, change directories, proxy traffic with yamux, and create or exfiltrate files. The report also lists sample hashes that can support clustering and endpoint detection for this Linux backdoor family.