Symantec attributes a new Linux backdoor, Linux.Gomir, to Springtail, also known as Kimsuky, in activity linked to recent campaigns against South Korean organizations. Gomir is a Linux counterpart to the GoBear backdoor and shares extensive code with it, extending Springtail’s Go-based tooling across platforms. The campaign used trojanized Korean software installers, including TrustPKI, NX_PRNMAN, and Wizvera VeraPort packages, to deliver Troll Stealer and related backdoors. Gomir can install itself as a systemd service named syslogd when run with privileges, while the broader toolset supports information theft, screenshots, browser-data collection, and persistence against South Korean government and public-sector targets.