Researchers Uncover GoSerpent Malware Used to Spy on Southeast Asian Governments

Researchers have identified GoSerpent, a new espionage malware framework designed to maintain long-term access and steal sensitive government data across Southeast Asia.
Illustration of the GoSerpent cyber espionage campaign showing a black serpent wrapped around a laptop displaying malware, with attack paths targeting Southeast Asia on a world map in the background.

Security researchers have uncovered a previously undocumented malware family called GoSerpent that has reportedly been used in cyber espionage campaigns targeting government and diplomatic organizations across Southeast Asia since late 2025.

The malware, discovered by Kaspersky researchers during an investigation that began in February 2026, is designed to maintain long-term access inside compromised networks while quietly collecting sensitive information for later exfiltration. Researchers say the operation appears focused on intelligence gathering rather than financial gain.

Long-term espionage over immediate disruption

According to Kaspersky, the threat actor’s objective is persistence. Rather than immediately stealing data, the attackers reportedly establish a foothold, collect documents and credentials over an extended period, and later return to exfiltrate the accumulated information.

Researchers observed the attackers deploying updated tooling in May 2026, suggesting the campaign remains active. The newer toolkit includes additional remote access capabilities and dedicated utilities for staging and exporting sensitive files that had been collected during previous months.

This patient approach is consistent with advanced cyber espionage operations, where maintaining covert access often provides greater intelligence value than conducting immediate data theft.

Go-based backdoor deploys multiple payloads

GoSerpent is written in the Go programming language and functions as a modular backdoor capable of receiving encrypted command-and-control instructions before deploying additional malware.

Once active, the implant can establish encrypted communications with an external server, execute remote commands, upload and download files, launch remote shells, and create SOCKS5 proxy tunnels that allow attackers to pivot through compromised networks while masking their origin.

Researchers said the malware also supports port forwarding and reverse tunneling, capabilities commonly used by advanced threat actors to move laterally across enterprise environments.

Credential theft and staged data collection

Rather than relying on a single malware component, the campaign reportedly combines several specialized tools.

Researchers observed GoSerpent deploying Mimikatz to dump credentials from Windows memory, alongside QuarksDumpLocalHash to extract password hashes from local accounts.

Another component, ThumbcacheService, was reportedly used to collect and organize sensitive files before they were transferred out of victim environments. Months later, the attackers allegedly returned with additional malware including Stowaway, TmcLoader, and TmcPayload to retrieve the staged information.

According to Kaspersky, this multi-stage workflow demonstrates deliberate operational planning intended to minimize detection while maximizing intelligence collection.

Possible links to earlier espionage activity

Kaspersky stopped short of attributing the campaign to a known threat actor but noted similarities with a previously documented espionage cluster known as TetrisPhantom.

The researchers identified overlaps in victimology, operational behavior, and technical capabilities, although they said the available evidence is insufficient to conclusively attribute the activity to the same group.

TetrisPhantom was previously associated with espionage campaigns targeting government organizations across the Asia-Pacific region using compromised secure USB devices to move malware between isolated systems.

Researchers continue tracking new malware

The discovery of GoSerpent highlights the continued evolution of cyber espionage operations targeting government networks throughout the Asia-Pacific region. Rather than deploying destructive malware or ransomware, campaigns like GoSerpent prioritize stealth, long-term persistence, credential theft, and gradual intelligence collection before quietly exfiltrating sensitive information.

The disclosure also follows several recent malware discoveries covered by BreachNews, including the Spirals ransomware family and the ModBeacon malware framework, reflecting the steady emergence of new malware designed for different operational objectives.

Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map