ESET researchers discovered and analyzed an ongoing malicious campaign distributing a backdoor via torrents, using Korean TV content and sometimes games as bait. The backdoor is spread via South Korean and Chinese torrent sites. The malware allows the attacker to connect the compromised computer to a botnet and control it remotely.
The malware concerned is a modified version of a publicly available backdoor named GoBot2; the modifications to the source code are mainly South Korea-specific evasion techniques. Due to the campaign’s clear focus on South Korea, ESET has dubbed this Win64/GoBot2 variant GoBotKR. With 80% of all detections, South Korea is the most affected, followed by China (10%) and Taiwan (5%). According to ESET telemetry, GoBotKR has been active since 2018.