Published on July 17, 2026
New GoSerpent Malware Targets Southeast Asian Government and Diplomatic Entities for Cyber Espionage
Severity
High
Detail
Cybersecurity researchers have discovered a previously undocumented malware named GoSerpent, which has been used in cyber attacks targeting government and diplomatic organizations in Southeast Asia since late 2025. The activity was identified by Russian cybersecurity company Kaspersky in February 2026, with the attackers focusing on maintaining long-term access and gathering sensitive intelligence.
GoSerpent is a Go-based Remote Access Trojan (RAT) designed to communicate with external servers and deploy additional malicious tools for sensitive data collection and credential theft. Researchers observed that the threat actors continued evolving their malware toolkit by introducing new tools in May 2026, including an updated Stowaway RAT, a proxy tool, and additional tools used for collecting and exfiltrating sensitive information.
How?
GoSerpent operates by connecting to attacker-controlled command-and-control (C2) servers and receiving encrypted commands. The malware uses encrypted and Base64-encoded command-line arguments containing the C2 address and communication password. After decrypting the information, the malware establishes an encrypted connection with the C2 server.
The malware supports multiple commands, including:
- Alerting the server about an active infection.
- Opening and closing listening ports.
- Connecting to remote servers.
- Launching a shell on compromised machines.
- Uploading and downloading files.
- Creating SOCKS5 proxy connections.
- Forwarding traffic through compromised systems.
The attackers used GoSerpent to deploy additional malicious tools, including ThumbcacheService for file collection, Mimikatz for extracting credentials from the LSASS process, and QuarksDumpLocalHash for extracting local account password hashes from the SAM registry hive.
During the attack lifecycle, additional tools were deployed, including:
- McMx RAT, a lightweight Go-based proxy and remote access tool.
- Stowaway, a proxy and remote access tool with SOCKS5 proxying, port forwarding, reverse tunneling, remote shell access, file transfer, and SSH-based tunneling capabilities.
- TmcLoader, a C++ loader containing an encrypted payload.
- TmcPayload, a tool used to exfiltrate stored sensitive data from compromised systems.
Impact
The GoSerpent campaign resulted in the compromise of government and diplomatic entities in Southeast Asia. The attackers used the malware to maintain persistent access, collect sensitive files, extract credentials, and prepare collected information for exfiltration.
The attackers used ThumbcacheService to collect sensitive data over several months before deploying additional tools to transfer the collected information. The ability of GoSerpent to create SOCKS5 proxy connections also allowed attackers to route traffic through compromised systems while hiding their actual IP addresses.
Kaspersky stated that the combination of different malicious modules provided attackers with extensive control over compromised devices, allowing them to execute commands, collect information, and transfer data.
Conclusion
The discovery of GoSerpent highlights an ongoing cyber espionage campaign targeting government and diplomatic entities in Southeast Asia. The malware demonstrates advanced capabilities through persistent access, credential theft, proxy functionality, data collection, and exfiltration activities. The continuous development of related tools shows that the threat actors are actively improving their capabilities to conduct long-term intelligence-gathering operations.
Indicators of compromise (IOC)
File hashes
- GoSerpent
EBFFD5A76AAA690BCDB922F82E0BACC5
DC506FF7BB72735444FB3703A6BEE6D8
- McMx
D6E86BF8A90E9B632ADD5FA495F97FBC
- ThumbcacheService
CB6C4C70A3B171FA3404B8E1A3382116
64E9D1950E42BC98486DFD9919463D1C
- Stowaway
CBBB6D483737EA3566726E51752DFF40
7F223EE0716CE2AD56F55D3744419449
19F8BEFCB035F52BF70094E6B4F5779A
846EF7C1C7323849B2A778C5E4CDA162
- TmcLoader
D08A059E8B815E3B891505BC8777FC28
93A1569D5D5AB2C4761FEDF84F83709E
C2 IP addresses
- 152.32.160[.]239
- 8.220.194[.]108
- 8.220.214[.]132
- 8.220.209[.]155
- 8.220.193[.]189
- 101.36.104[.]87
- 144.48.6[.]46
- 103.138.13[.]30
- 47.80.22[.]58
- 152.32.222[.]113
- 43.106.30[.]226
Source
https://thehackernews.com/2026/07/new-goserpent-malware-targets-southeast.html
https://securelist.com/goserpent-backdoor-in-southeast-asia/120687/
