New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering.

Russian cybersecurity company Kaspersky, which uncovered the activity in February 2026, said it was aimed at government and diplomatic entities in the region. GoSerpent is designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system.

"Monitoring the activities of this threat actor revealed that in May 2026 they came back with an evolved set of malicious tools: new Stowaway RAT and proxy tool which resembled the initial malware as well as an additional stealthy tool to exfiltrate sensitive data collected for the previous few months through network share," security researcher Noushin Shabab said.

The end goal of these efforts is to harvest sensitive files and stage them for subsequent exfiltration using a data collecting tool dubbed ThumbcacheService. The attacks have also employed credential dumping tools via GoSerpent to capture system credentials need to facilitate data exfiltration through network shared drives.

Earlier iterations of the Go-based implant and remote access trojan (RAT) have been put to use since 2021 against victims in Southeast Asia, with recent variants deployed as recently as this year.

The malware functions by receiving encrypted and Base64-encoded command-line arguments containing the command-and-control (C2) address and communication password. Once decrypted, the backdoor connects to the C2 server over an encrypted connection, where the SHA256 hash of the communication password serves as the encryption key.

The list of supported commands is listed below -

  • To alert the server of an active infection
  • Start listening on a specific port
  • Close a listening port
  • Connect to a remote server
  • Spawn a shell on the infected machine
  • Upload a file or directory to the server
  • Download from the server
  • Start a SOCKS5 proxy on the infected machine
  • Forward to a connected node

"GoSerpent can establish SOCKS5 proxy servers to route traffic through compromised hosts, enabling attackers to access other networks while masking their true IP addresses," Kaspersky explained. "The backdoor is capable of deploying additional malicious tools, including ThumbcacheService for file collection, Mimikatz for credential dumping, and QuarksDumpLocalHash for local account password hash extraction."

Some of the other tools deployed over the course of the attacks are as follows -

  • McMx RAT, a basic Go-based proxy and remote access tool that's a lightweight version of GoSerpent with capabilities such as SOCKS5 proxying, port forwarding, file transfer, and remote shell
  • ThumbcacheService, a DLL that supplements GoSerpent with a sophisticated file collection mechanism
  • Mimikatz, to dump memory from the Local Security Authority Subsystem Service (LSASS) process to extract credential material
  • QuarksDumpLocalHash, to extract local account password hashes from the SAM registry hive

After months of covert data harvesting, the threat actors behind the activity are said to have returned to the compromised environment in May 2026 to deploy another set of tools -

  • Stowaway, a proxy and remote access tool with SOCKS5 proxying, port forwarding, reverse tunneling, remote shell access, file transfer, and SSH-based tunneling features
  • TmcLoader, a C++ loader module that contains an encrypted payload dubbed TmcPayload
  • TmcPayload, to exfiltrate stored sensitive data from the victim's machine

"What makes this threat particularly concerning is the strategic deployment of various tools with sophisticated data collection and exfiltration capabilities," Kaspersky said. "The chain from ThumbcacheService to TmcLoader/TmcPayload demonstrates sophisticated operational planning."

Although definitive attribution remains cloudy at best, the security vendor said the campaign shares targeting, technical capabilities, and operational overlaps with TetrisPhantom, a "highly skilled and resourceful threat actor" it first documented in October 2023 as targeting government entities in the Asia-Pacific (APAC) region.

"The attacker covertly spied on and harvested sensitive data from APAC government entities by exploiting a particular type of secure USB drive, protected by hardware encryption to ensure the secure storage and transfer of data between computer systems," the company noted at the time.

"The campaign comprises various malicious modules, through which the actor can gain extensive control over the victim's device. This allows them to execute commands, collect files and information from compromised machines, and transfer them to other machines using the same or different secure USB drives as carriers."

DoNot Team Attack Chain

The disclosure comes as Cyderes Howler Cell detailed a targeted cyber espionage operation orchestrated by DoNot Team targeting Bangladesh's military and defence establishments using spear-phishing emails containing a malware-laced RTF document to drop a DLL implant that sets up scheduled-task persistence disguised as OneDrive telemetry, profiles the host, and beacons to a C2 server over HTTPS.

"The RTF uses remote template injection to fetch a VBA macro, with server-side geofencing restricting payload delivery to victims inside the target region," researchers Reegun Jayapaul, Rahul Ramesh, and Baskar M said. "Once the macro runs, it injects architecture-aware shellcode through callback-based API abuse. The shellcode moves through several XOR-encoded stages, each pulled from the same C2 domain under benign-looking file extensions."

The implant is then used to deliver a second-stage DLL ("ejtest.dll"), which features modular download capability for follow-on payloads. The attribution to DoNot Team is based on similar C2 URI paths, matching AES key material, VBA-based shellcode injection tradecraft, and geofenced payload delivery that serves clean templates to non-targets.

source: TheHackerNews