Skip to main content
Emerging ThreatsMalware & Ransomware

GoSerpent Malware Targets Southeast Asian Governments for Espionage

Formal office setting with laptop, papers, and pen on a desk near a window overlooking a cityscape.

"Monitoring the activities of this threat actor revealed that in May 2026 they came back with an evolved set of malicious tools," security researcher Noushin Shabab said, summing up an intrusion campaign that has quietly targeted Southeast Asian governments and diplomats since late 2025.

GoSerpent implant and command set

Researchers at Russian cybersecurity company Kaspersky uncovered a previously undocumented Go-based backdoor they call GoSerpent in February 2026. According to Kaspersky, the implant has been used since late 2025 — and earlier iterations of the Go-based implant and remote access trojan (RAT) trace back to 2021 — against victims in Southeast Asia with a focus on long-term access and intelligence collection at government and diplomatic entities.

GoSerpent receives encrypted and Base64-encoded command-line arguments that include a command-and-control (C2) address and a communication password. Once decrypted, the backdoor connects to the C2 server over an encrypted channel. The SHA256 hash of the communication password is used as the encryption key.

The malware supports a broad command set that enables persistent access and lateral misuse: signalling infection to the server; listening on or closing specific ports; connecting to remote servers; spawning a shell; uploading and downloading files or directories; starting a SOCKS5 proxy on the infected host; and forwarding to another node. Kaspersky warned that "GoSerpent can establish SOCKS5 proxy servers to route traffic through compromised hosts, enabling attackers to access other networks while masking their true IP addresses."

Auxiliary tools: ThumbcacheService, Mimikatz, QuarksDumpLocalHash, McMx

GoSerpent is not presented as a lone tool but as a delivery mechanism for a suite of follow-on modules. Kaspersky documented a chain that begins with a file-collection DLL named ThumbcacheService, which is used to harvest sensitive files over months. The campaign also used credential-dumping tools: Mimikatz to extract memory from the LSASS process and QuarksDumpLocalHash to pull local account password hashes from the SAM registry hive.

Other utilities observed in the intrusions include McMx RAT, described as a lightweight Go-based proxy and remote access tool providing SOCKS5 proxying, port forwarding, file transfer and remote shell functionality. The combined toolkit enabled both covert data harvesting and the credential access necessary to stage exfiltration across network-shared drives.

May 2026 resurgence: Stowaway, TmcLoader, and TmcPayload

Kaspersky reports that after months of covert collection the operators returned in May 2026 with an evolved toolbox intended to move and extract the accumulated material. The new components included Stowaway, a proxy and remote access tool with SOCKS5 proxying, port forwarding, reverse tunneling, remote shell access, file transfer and SSH-based tunneling; TmcLoader, a C++ loader module containing an encrypted payload called TmcPayload; and TmcPayload itself, used to exfiltrate stored sensitive data from victim machines.

Kaspersky characterized the campaign as demonstrating "sophisticated operational planning," pointing to the chain from ThumbcacheService to TmcLoader/TmcPayload as evidence that harvesting and later extraction were planned phases of the operation.

Overlap with TetrisPhantom and attribution status

Although Kaspersky stopped short of firm attribution — noting that "definitive attribution remains cloudy at best" — the vendor reported that the campaign shares targeting, technical capabilities and operational overlaps with a previously documented actor it calls TetrisPhantom. Kaspersky first described TetrisPhantom in October 2023 as a "highly skilled and resourceful threat actor" targeting government entities in the Asia-Pacific region, and highlighted similarities in both toolset composition and the campaign's use of removable media and chained modules to move data.

How technologists, government and military establishments should respond

  • Technologists and security teams: Monitor for the behavioral indicators Kaspersky describes — processes that accept encrypted, Base64-encoded command-line arguments; unexpected SOCKS5 listeners; and the presence of ThumbcacheService, McMx RAT, Mimikatz or QuarksDumpLocalHash. Watch for scheduled or staged activity that separates months of collection from a later extraction phase.
  • Government and diplomatic entities: Be aware that the campaign specifically targets government and diplomatic networks in Southeast Asia and that operators have used long dwell times to accumulate files before returning to exfiltrate them. Controls around network-shared drives and removable media should be reassessed in light of the documented tactics.
  • Military and defence establishments: The disclosure arrived alongside a separate, targeted operation described by Cyderes Howler Cell against Bangladesh's military and defence organizations. Cyderes reported spear-phishing using an RTF with remote template injection to fetch a VBA macro that then delivers a DLL implant; the attackers used geofencing to restrict payload delivery to victims inside the target region and built modular follow-on download capability into a second-stage DLL called "ejtest.dll."

Kaspersky's report and the contemporaneous Cyderes Howler Cell disclosure together show parallel espionage patterns: multi-stage implants, credential dumping, SOCKS5 proxying and carefully staged exfiltration. Where attribution remains uncertain, the observable facts are concrete: operators harvested data for months and returned in May 2026 with a different toolchain designed to pull that data out. The remaining practical question is what specific files were staged and where TmcPayload moved them after extraction — a detail the published findings do not enumerate.

Original story