Advertisement
Cyber Crime

GoSerpent Malware’s Deep State Intrusion

A newly identified backdoor is enabling long-term espionage against Southeast Asian government and diplomatic networks.

··2 hours ago·2 min read
a computer monitor with a lot of code on it
Photo by Steve A Johnson on Unsplash
Advertisement

The emergence of GoSerpent marks a significant escalation in targeted digital espionage within Southeast Asia, where persistent actors have been methodically gathering intelligence since late 2025. This sophisticated campaign prioritizes long-term access, allowing threat actors to maintain a foothold within sensitive government and diplomatic environments while systematically exfiltrating data.

The Anatomy of Stealthy Access

Discovered by Kaspersky in February 2026, the GoSerpent backdoor is a custom-built implant designed for high-stakes credential harvesting and payload deployment. Once established, the malware utilizes encrypted, Base64-encoded command-line arguments to establish a connection with its command-and-control server. The communication protocol is secured by a password whose SHA256 hash serves as the primary encryption key for all incoming instructions.

Monitoring the activities of this threat actor revealed that in May 2026 they came back with an evolved set of malicious tools: new Stowaway RAT and proxy tool which resembled the initial malware as well as an additional stealthy tool to exfiltrate sensitive data collected for the previous few months through network share.

— Noushin Shabab, security researcher

Evolving Toolsets and Payloads

The operation is characterized by its modularity, frequently swapping components to maximize impact and maintain persistence. Attackers utilize a variety of specialized tools to interact with infected systems and move laterally across compromised networks.

  • McMx RAT: A lightweight Go-based tool for SOCKS5 proxying, file transfer, and remote command execution.
  • ThumbcacheService: A sophisticated DLL module utilized for advanced file collection and staging.
  • Mimikatz: Employed to dump memory from the LSASS process for direct credential extraction.
  • QuarksDumpLocalHash: Used to pull local account hashes from the SAM registry hive.
  • Stowaway: A later-stage addition providing SOCKS5 proxying, port forwarding, and SSH-based tunneling.

Strategic Overlaps in Operations

While definitive attribution is difficult to establish, researchers have identified operational similarities between the current campaign and the activities of TetrisPhantom. Previously documented in October 2023, TetrisPhantom gained notoriety for its highly targeted TetrisPhantom attacks against APAC government entities. These earlier operations relied on the exploitation of secure, hardware-encrypted USB drives to bridge air-gapped systems and ensure long-term, covert data exfiltration.

Broader Risks to Regional Security

The persistence of these threat actors—evidenced by the continuous refinement of the GoSerpent implant since 2021—highlights the extreme difficulty of fully eradicating a motivated espionage presence from government infrastructure. Simultaneously, the discovery of DoNot Team activities targeting military and defense establishments in Bangladesh underscores a broader, regional trend of aggressive digital surveillance.

For affected organizations, the primary risk lies in the silent nature of these intrusions. Because the attackers employ legitimate-looking tools and network-level proxies to mask their activity, traditional perimeter defenses are often insufficient. Success against such threats requires an assumption of breach, focusing on rigorous internal monitoring of lateral movement, heartbeat detection for command-and-control beacons, and the strict auditing of administrative credential usage within sensitive network shares.

#malware#cyber espionage#goserpent#government security#threat intelligence

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement