GoSerpent Malware
A new malware strain known as GoSerpent has been utilized in cyber attacks against targets from Southeast Asia starting in late 2025. As per Kaspersky, the attacks are geared towards maintaining persistent access and espionage.
The targeted victims of the attacks include governmental and diplomatic organizations based in the region. GoSerpent has the capability of communicating with an external server and launching second-stage payloads for harvesting data and credentials.
The Timeline of the Attack
In 2026, Kaspersky discovered this activity in February. It was discovered through monitoring that in May 2026, the attacker came back with a modified version of their tools. The new tool consisted of the updated Stowaway RAT and proxy tool similar to the original malware as well as a new one to steal the data.
The end goal is to harvest sensitive files and stage them for exfiltration. The attackers use a data collection tool called ThumbcacheService. Credential dumping tools are deployed via GoSerpent to capture system credentials needed to facilitate data exfiltration through network shared drives.
The Malware's Evolution
Earlier iterations of the Go-based implant have been used since 2021 against victims in Southeast Asia. Recent variants have been deployed as recently as this year.
The malware works by receiving encrypted and Base64 encoded arguments that contain the C2 server IP address and the communication password. After decryption, the backdoor will connect to the C2 server using an encrypted channel and the SHA256 hash of the communication password acts as the encryption key.
Supported Commands
GoSerpent supports a range of commands:
- Infection alert sent to the server
- Listening to a specific port
- Closing of listening to a specific port
- Connection to a remote server
- Shell spawned on the infected machine
- File or directory upload to the server
- Downloading from the server
- SOCKS5 proxy spawned on the infected machine
- Port forwarded to a connected node
Additional Tools
The attacks deploy several additional tools:
- McMx RAT: A simple Go-based proxy and remote access malware which is basically a lightweight version of GoSerpent. It has features like SOCKS5 proxying, port forwarding, file transfers, and a remote shell.
- ThumbcacheService: A DLL which enhances the functionality of GoSerpent with an advanced file collection technique.
- Mimikatz: A tool that is employed for dumping LSASS memory in order to dump credentials.
- QuarksDumpLocalHash: This is a tool used for harvesting the local password hashes from the SAM registry hive.
Comeback in May 2026
After some time collecting information discreetly, the threat actors made another comeback to the already compromised network in May 2026 to use other tools such as:
- Stowaway: Remote access and proxying tool with features like port forwarding, SOCKS5 proxying, reverse tunneling, remote shell functionality, file transfers, and SSH tunneling.
- TmcLoader: C++ loader which contains an encrypted component referred to as TmcPayload.
- TmcPayload: Component used for stealing sensitive data stored on the victim’s machine.
Attribution
There is no definite attribution for the malware. Nevertheless, this attack bears resemblance to the activities of the threat actor called “TetrisPhantom.” This threat actor was seen in action for the first time in October 2023 and operates against government organizations in the Asia-Pacific region.
DoNot Team Attack Chain
A separate campaign orchestrated by DoNot Team targets Bangladesh's military and defense establishments. Spear-phishing emails with malware-laced RTF documents drop a DLL implant that sets up scheduled-task persistence disguised as OneDrive telemetry.
The RTF uses remote template injection to fetch a VBA macro with server-side geofencing restricting payload delivery to victims inside the target region. The shellcode moves through several XOR-encoded stages, each pulled from the same C2 domain.
The Bottom Line
GoSerpent malware Southeast Asia espionage demonstrates a sophisticated, long-term intelligence-gathering operation. The attack is happening over a period of time utilizing different methods of data theft since May 2026.
Security protocols have to be looked into by the government and diplomatic agencies in this area. Any kind of strange behavior on the network has to be taken care of. Any file transfer could also be an indicator of infection.
FAQ Section
What is GoSerpent?
GoSerpent is the name of the backdoor developed in Go language which is used in the cyber-espionage attacks targeting the governments and diplomats in Southeast Asia.
What does GoSerpent do?
GoSerpent communicates with the C2 server, drops secondary payloads, exfiltrates the information, and steals the credentials. The features supported by GoSerpent include SOCKS5 proxy, remote shell, file transfer, and port forwarding.
What other tools are used?
Other tools which are being used are McMx RAT, ThumbcacheService, Mimikatz, QuarksDumpLocalHash, Stowaway, TmcLoader, and TmcPayload.
Who is behind the attacks?
It is unknown who is behind the attacks, but there are some similarities to the TetrisPhantom group targeting APAC governments.
What is ThumbcacheService?
ThumbcacheService is a DLL which complements GoSerpent with an additional method of collecting files.
What should organizations do?
Organizations should monitor their networks for any anomalies and check access to credentials as well as suspicious file transfers.