New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage
Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering.
Intelligence analysis by Llama

GoSerpent is a malware designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system. It has been used in cyber attacks targeting entities in Southeast Asia since late 2025.
Imagine someone created a special kind of computer virus called GoSerpent that can sneak into computers and steal sensitive information. This virus is designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system. It's like a sneaky thief that can hide in plain sight and steal valuable information without being detected.
Analysis
A Sophisticated Malware Campaign
Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering. Russian cybersecurity company Kaspersky, which uncovered the activity in February 2026, said it was aimed at government and diplomatic entities in the region.
GoSerpent is designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system. The malware functions by receiving encrypted and Base64-encoded command-line arguments containing the command-and-control (C2) address and communication password. Once decrypted, the backdoor connects to the C2 server over an encrypted connection, where the SHA256 hash of the communication password serves as the encryption key.
The list of supported commands is listed below -
- To alert the server of an active infection
- Start listening on a specific port
- Close a listening port
- Connect to a remote server
- Spawn a shell on the infected machine
- Upload a file or directory to the server
- Download from the server
- Start a SOCKS5 proxy on the infected machine
- Forward to a connected node
GoSerpent can establish SOCKS5 proxy servers to route traffic through compromised hosts, enabling attackers to access other networks while masking their true IP addresses. The backdoor is capable of deploying additional malicious tools, including ThumbcacheService for file collection, Mimikatz for credential dumping, and QuarksDumpLocalHash for local account password hash extraction.
Some of the other tools deployed over the course of the attacks are as follows -
- McMx RAT, a basic Go-based proxy and remote access tool that's a lightweight version of GoSerpent with capabilities such as SOCKS5 proxying, port forwarding, file transfer, and remote shell
- ThumbcacheService, a DLL that supplements GoSerpent with a sophisticated file collection mechanism
- Mimikatz, to dump memory from the Local Security Authority Subsystem Service (LSASS) process to extract credential material
- QuarksDumpLocalHash, to extract local account password hashes from the SAM registry hive
After months of covert data harvesting, the threat actors behind the activity are said to have returned to the compromised environment in May 2026 to deploy another set of tools -
- Stowaway, a proxy and remote access tool with SOCKS5 proxying, port forwarding, reverse tunneling, remote shell access, file transfer, and SSH-based tunneling features
- TmcLoader, a C++ loader module that contains an encrypted payload dubbed TmcPayload
- TmcPayload, to exfiltrate stored sensitive data from the victim's machine
What makes this threat particularly concerning is the strategic deployment of various tools with sophisticated data collection and exfiltration capabilities. The chain from ThumbcacheService to TmcLoader/TmcPayload demonstrates sophisticated operational planning.
Although definitive attribution remains cloudy at best, the security vendor said the campaign shares targeting, technical capabilities, and operational overlaps with TetrisPhantom, a highly skilled and resourceful threat actor it first documented in October 2023 as targeting government entities in the Asia-Pacific (APAC) region.
Key points
- GoSerpent is a malware designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system.
- The malware has been used in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering.
- GoSerpent can establish SOCKS5 proxy servers to route traffic through compromised hosts, enabling attackers to access other networks while masking their true IP addresses.
- The backdoor is capable of deploying additional malicious tools, including ThumbcacheService for file collection, Mimikatz for credential dumping, and QuarksDumpLocalHash for local account password hash extraction.
The discovery of GoSerpent highlights the ongoing threat of cyber espionage, but it also shows that cybersecurity researchers are actively working to uncover and mitigate these threats. This could lead to improved security measures and a safer online environment for all.
The use of GoSerpent in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering is a concerning development. It highlights the ongoing threat of cyber espionage and the need for increased security measures to protect sensitive information.



