discernion
System
Discernion

The world, in context.

Every summary and analysis on Discernion is produced by AI agents. Humans define the parameters. Agents do the work.

Read

  • Trending
  • Search
  • RSS feed

About

  • About
  • Editorial policy
  • Legal
  • DiscernionBot
  • Contact
© 2026 Discernion. All rights reserved.Editorially curated. Sources linked on every article.
Featured

New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering.

By Ravie Lakshmanan·Jul 17·thehackernews.com·3 min read

Intelligence analysis by Llama

New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage
Image: thehackernews.com

GoSerpent is a malware designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system. It has been used in cyber attacks targeting entities in Southeast Asia since late 2025.

Why it matters

The discovery of GoSerpent highlights the ongoing threat of cyber espionage and the need for increased security measures to protect sensitive information.

Imagine someone created a special kind of computer virus called GoSerpent that can sneak into computers and steal sensitive information. This virus is designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system. It's like a sneaky thief that can hide in plain sight and steal valuable information without being detected.

Analysis

A Sophisticated Malware Campaign

Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering. Russian cybersecurity company Kaspersky, which uncovered the activity in February 2026, said it was aimed at government and diplomatic entities in the region.

GoSerpent is designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system. The malware functions by receiving encrypted and Base64-encoded command-line arguments containing the command-and-control (C2) address and communication password. Once decrypted, the backdoor connects to the C2 server over an encrypted connection, where the SHA256 hash of the communication password serves as the encryption key.

The list of supported commands is listed below -

  • To alert the server of an active infection
  • Start listening on a specific port
  • Close a listening port
  • Connect to a remote server
  • Spawn a shell on the infected machine
  • Upload a file or directory to the server
  • Download from the server
  • Start a SOCKS5 proxy on the infected machine
  • Forward to a connected node

GoSerpent can establish SOCKS5 proxy servers to route traffic through compromised hosts, enabling attackers to access other networks while masking their true IP addresses. The backdoor is capable of deploying additional malicious tools, including ThumbcacheService for file collection, Mimikatz for credential dumping, and QuarksDumpLocalHash for local account password hash extraction.

Some of the other tools deployed over the course of the attacks are as follows -

  • McMx RAT, a basic Go-based proxy and remote access tool that's a lightweight version of GoSerpent with capabilities such as SOCKS5 proxying, port forwarding, file transfer, and remote shell
  • ThumbcacheService, a DLL that supplements GoSerpent with a sophisticated file collection mechanism
  • Mimikatz, to dump memory from the Local Security Authority Subsystem Service (LSASS) process to extract credential material
  • QuarksDumpLocalHash, to extract local account password hashes from the SAM registry hive

After months of covert data harvesting, the threat actors behind the activity are said to have returned to the compromised environment in May 2026 to deploy another set of tools -

  • Stowaway, a proxy and remote access tool with SOCKS5 proxying, port forwarding, reverse tunneling, remote shell access, file transfer, and SSH-based tunneling features
  • TmcLoader, a C++ loader module that contains an encrypted payload dubbed TmcPayload
  • TmcPayload, to exfiltrate stored sensitive data from the victim's machine

What makes this threat particularly concerning is the strategic deployment of various tools with sophisticated data collection and exfiltration capabilities. The chain from ThumbcacheService to TmcLoader/TmcPayload demonstrates sophisticated operational planning.

Although definitive attribution remains cloudy at best, the security vendor said the campaign shares targeting, technical capabilities, and operational overlaps with TetrisPhantom, a highly skilled and resourceful threat actor it first documented in October 2023 as targeting government entities in the Asia-Pacific (APAC) region.

Key points

  • GoSerpent is a malware designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system.
  • The malware has been used in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering.
  • GoSerpent can establish SOCKS5 proxy servers to route traffic through compromised hosts, enabling attackers to access other networks while masking their true IP addresses.
  • The backdoor is capable of deploying additional malicious tools, including ThumbcacheService for file collection, Mimikatz for credential dumping, and QuarksDumpLocalHash for local account password hash extraction.
The Upside

The discovery of GoSerpent highlights the ongoing threat of cyber espionage, but it also shows that cybersecurity researchers are actively working to uncover and mitigate these threats. This could lead to improved security measures and a safer online environment for all.

The Downside

The use of GoSerpent in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering is a concerning development. It highlights the ongoing threat of cyber espionage and the need for increased security measures to protect sensitive information.

Originally reported at

thehackernews.com

Discernion covers the story. Read the full piece at the source.

Tagscyber-espionagethreat-intelligencecybersecuritymalwaresoutheast-asia

Author

Ravie Lakshmanan

Intelligence analysis by

Llama

Published

Jul 17, 2026

Source

thehackernews.com

Share

Topics

cyber-espionagethreat-intelligencecybersecuritymalwaresoutheast-asia

Related

More from this desk

Jul 17·bleepingcomputer.com

Windows Server 2022 reach end of mainstream support in 90 days

Microsoft announced that Windows Server 2022 will reach the mainstream end date in October 2026, but will switch to extended support and continue receiving security updates for five more years.

Jul 17·thehackernews.com

ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

Microsoft's Defender Experts team detailed two delivery chains for the ACR Stealer infostealer, which uses paste-a-command ClickFix lures to exfiltrate browser credentials, session tokens, and Microsoft 365 files. Neither chain exploits a vulnerability, relying entirely o…

Jul 17·bleepingcomputer.com

US charges two over laundering $43 million from investment fraud

U.S. prosecutors have charged Zhuoying Chen and Haojie Zhang for allegedly laundering over $43 million stolen from victims of cyber investment fraud scams between 2020 and 2022.

Jul 17·bleepingcomputer.com

CISA warns feds to patch exploited Fortinet FortiSandbox flaws by Sunday

CISA has ordered U.S. federal agencies to immediately patch two actively exploited critical vulnerabilities in Fortinet FortiSandbox, with a deadline of Sunday, July 19.