Skip to main content
Emerging ThreatsMalware & Ransomware

GoSerpent Malware Evolves with Advanced Data Exfiltration Tactics

Rows of computer servers and network equipment in a dimly lit server room with organized cables and wires.

In February 2026 the report states, "we discovered a set of malicious activities that have been ongoing since late 2025."

GoSerpent backdoor: architecture, commands, and persistence

The central piece of the campaign is a Go-based remote access Trojan the report dubs GoSerpent. According to the researchers, variants of GoSerpent have been observed since at least 2021, with a newer, stealthier build active in late 2025 and early 2026. The backdoor accepts encrypted, base64-encoded command-line arguments that include the C2 address and a communication password; those arguments are decrypted using AES‑CBC with a fixed IV of 31323334353637383930616263646566 and keys derived from predefined strings. Communications with command-and-control servers use ChaCha20 encryption where the SHA256 hash of the communication password serves as the encryption key.

GoSerpent implements multiple remote functions encoded as special command values. The report lists those command symbols and their functions verbatim (examples):

  • 2BA1 — Sync (respond to server to show infection is active)
  • 3BA2 — Exit (exit process)
  • 4BA3 — Ls (start listening on a port)
  • 5BA4 — Connect (connect to remote server)
  • 6BA5 — Hello (create a shell)
  • 7BA6 — Ul (upload file or directory)
  • 8BA7 — Dl (download from server)
  • 9BA8 — Ss5 (start a SOCKS5 proxy)
  • ABA9 — Cl (close listening port)
  • CBAB — RF (forward to a connected node)

The backdoor can create SOCKS5 proxy servers to route traffic through compromised hosts, and it is used to deploy additional tools (ThumbcacheService, Mimikatz, QuarksDumpLocalHash). The malware also uses filenames designed to mimic legitimate system processes (for example, lass.exe and updates.exe) and exhibits "strong persistence mechanisms," according to the report.

ThumbcacheService and credential collection

After deploying GoSerpent, the operators typically waited days before running secondary components. ThumbcacheService is a malicious DLL installed as a Windows service that the report describes as a dedicated file-collection mechanism. It uses single-byte XOR (0x13) string obfuscation and creates a database named thumbcache_605a.db in C:\Users\Public\ to store harvested files.

ThumbcacheService targets documents by extension — the report lists .doc, .docx, .pdf, .xls and .xlsx — archives them with 7‑Zip using the predefined password @vx0a9n5W2M0c3D6.# and enforces a 20 MB size limit for archives. The service also monitors $Recycle.Bin for deleted files with those extensions, expanding its collection coverage.

Credential-dumping tools deployed via GoSerpent included Mimikatz (to extract memory artifacts from LSASS, cached credentials, and Kerberos tickets) and QuarksDumpLocalHash (to extract local account password hashes from the SAM hive). The report says stolen credentials were later used to exfiltrate the thumbcache_605a.db through network shares.

Stowaway and TmcLoader/TmcPayload: the exfiltration stage

In May 2026 the operators returned with an evolved toolkit. The main staging tool in this phase is Stowaway, a Go-based RAT and proxy with network-admin and agent capabilities. Stowaway supports SOCKS5 proxying, port forwarding, reverse tunneling, remote shells, file transfer, and SSH-based tunneling. Communications can run over TCP, HTTP, or WebSocket and be protected with AES-256-GCM or TLS, per the report.

Through Stowaway the attackers delivered two files: TmcLoader and an encrypted configuration file ({{BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}}.db). TmcLoader is a stealthy C++ loader registered as a Windows service that decrypts an embedded payload (TmcPayload) and maps it into the svchost process. The loader uses dynamic API resolution hidden by a circular XOR scheme (each byte XORed with the next byte) and Base64 for string obfuscation, and it creates a unique event to prevent multiple infections.

TmcPayload looks for the configuration file and, crucially, uses the encrypted network-share credentials and destination paths inside that file to exfiltrate the exact thumbcache_605a.db created earlier — a tightly integrated chain from collection to theft.

Infrastructure, operational methods, and possible links

The operators used legitimate hosting providers for C2, the report notes, including Alibaba Cloud and UCLOUD HK. The report also highlights a pattern: the consistent use of legitimate domain names as secret keys (GoSerpent used www.microsoft.com and www.spacex.com; Stowaway used github.code), which the researchers interpret as a standardized operational methodology. Technical similarities between GoSerpent and Stowaway suggest deep familiarity with proxy technologies.

The report flags a potential link to the actor TetrisPhantom based on overlaps in targeting, capabilities, and methods, but it frames that as an indication rather than a confirmed attribution.

What this means for government and diplomatic entities in Southeast Asia, technologists, and hosting providers

  • Government and diplomatic entities in Southeast Asia — explicitly named as targets in the report — are shown a campaign built for long-term access and intelligence collection: collection components run for weeks before exfiltration, and the chain ties collection, credential theft, configuration delivery, and exfiltration together.
  • Technologists and security teams — the report demonstrates specific TTPs to look for: a Go-based RAT accepting encrypted command-line arguments (AES‑CBC with the fixed IV listed above), a thumbcache_605a.db artifact in C:\Users\Public\, and a 7‑Zip archive password of @vx0a9n5W2M0c3D6.# among other indicators.
  • Hosting providers — because Alibaba Cloud and UCLOUD HK were used for C2 infrastructure, the report highlights how legitimate platforms can be abused and suggests those providers are within the operational scope of the campaign.

The report concludes that the campaign "represents a sophisticated and evolving threat" and stresses the integrated nature of the toolset: collection by ThumbcacheService, credential harvesting by Mimikatz and QuarksDumpLocalHash, and exfiltration by TmcLoader/TmcPayload delivered via Stowaway. As the authors put it, understanding those tactics, techniques, and procedures is essential to prepare defenders for similar activity.

Indicators of compromise (selected)

File hashes (as reported)

  • GoSerpent: EBFFD5A76AAA690BCDB922F82E0BACC5, DC506FF7BB72735444FB3703A6BEE6D8
  • McMx: D6E86BF8A90E9B632ADD5FA495F97FBC
  • ThumbcacheService: CB6C4C70A3B171FA3404B8E1A3382116, 64E9D1950E42BC98486DFD9919463D1C
  • Stowaway: CBBB6D483737EA3566726E51752DFF40, 7F223EE0716CE2AD56F55D3744419449, 19F8BEFCB035F52BF70094E6B4F5779A, 846EF7C1C7323849B2A778C5E4CDA162
  • TmcLoader: D08A059E8B815E3B891505BC8777FC28, 93A1569D5D5AB2C4761FEDF84F83709E

C2 IP addresses (as reported): 152.32.160[.]239, 8.220.194[.]108, 8.220.214[.]132, 8.220.209[.]155, 8.220.193[.]189, 101.36.104[.]87, 144.48.6[.]46, 103.138.13[.]30, 47.80.22[.]58, 152.32.222[.]113, 43.106.30[.]226.

Read the original report: https://securelist.com/goserpent-backdoor-in-southeast-asia/120687/