Recently, cybersecurity experts identified a new malware, GoSerpent, actively targeting government and diplomatic organizations in Southeast Asia. This malware has been in use since late 2025 and aims to maintain prolonged access to collect intelligence.
Targeted Cyber Attacks in Southeast Asia
According to Kaspersky, the Russian cybersecurity firm that discovered GoSerpent in February 2026, the malware primarily targets governmental and diplomatic entities. It operates by connecting to external servers, deploying secondary payloads to collect data, and capturing credentials from affected systems.
In May 2026, the threat actors behind GoSerpent introduced new tools. These included the Stowaway RAT and a proxy tool that evolved from the initial malware. A sophisticated method to stealthily extract sensitive data over network shares was also uncovered.
Technical Details and Capabilities
The ultimate goal of GoSerpent is to gather and exfiltrate sensitive files using a data collection tool named ThumbcacheService. The malware also employs credential dumping tools to facilitate data extraction through shared network drives. Earlier versions of this Go-based implant have been used since 2021, with updates occurring as recently as this year.
GoSerpent is capable of receiving encrypted command-line arguments containing command-and-control (C2) server addresses and passwords. Once decrypted, it establishes an encrypted connection with the C2 server, using the SHA256 hash of the password as the encryption key.
Advanced Threat Actor Techniques
The malware can execute various commands, such as alerting the server of infections, opening and closing ports, connecting to remote servers, and more. It can establish SOCKS5 proxy servers, allowing attackers to disguise their IP addresses while accessing other networks.
Additional tools used in these attacks include McMx RAT, a lightweight variant of GoSerpent, and Mimikatz for extracting credential material from the Local Security Authority Subsystem Service (LSASS). In May 2026, attackers returned to compromised systems to deploy further tools, such as Stowaway and TmcLoader.
Implications and Future Outlook
The strategic deployment of various tools with advanced data collection and exfiltration capabilities is concerning, as noted by Kaspersky. The campaign shows technical overlap with TetrisPhantom, a previously documented threat actor targeting government bodies in the Asia-Pacific region.
As cyber threats continue to evolve, organizations in Southeast Asia need to bolster their cybersecurity measures to protect sensitive information from sophisticated attacks like those orchestrated by GoSerpent.
