GoSerpent Malware Targets Southeast Asian Government And Diplomatic Organizations For Cyber Espionage

GoSerpent Malware Targets Southeast Asian Government And Diplomatic Organizations For Cyber Espionage

Cybersecurity researchers at Kaspersky have identified a previously undocumented malware family called GoSerpent that has been used in cyber espionage campaigns targeting government and diplomatic organizations across Southeast Asia since late 2025. The activity was first uncovered by Kaspersky in February 2026, with researchers reporting that the attacks focus on maintaining long term access to compromised systems while collecting sensitive information and credentials. According to the company, GoSerpent communicates with an external command and control server and is capable of deploying additional malware components designed for intelligence gathering, credential theft, and data exfiltration. Kaspersky researcher Noushin Shabab stated that the threat actor returned in May 2026 with an updated toolkit that included a new version of Stowaway, a remote access and proxy tool, together with another stealthy component used to extract sensitive information that had been collected over several months through shared network locations. Researchers said the attackers demonstrated a structured approach by harvesting valuable files over an extended period before initiating large scale data exfiltration.

Kaspersky explained that GoSerpent is a Go based implant and remote access trojan that has evolved from earlier versions observed since 2021 in attacks targeting Southeast Asian organizations. The malware receives encrypted and Base64 encoded command line arguments containing the command and control server address together with a communication password. After decrypting these parameters, it establishes an encrypted connection with the command and control infrastructure, using the SHA256 hash of the communication password as the encryption key. Once active, GoSerpent allows attackers to notify command servers of successful infections, open and close listening ports, connect to remote systems, execute shell commands, upload and download files, forward network traffic, and establish SOCKS5 proxy services on compromised devices. According to Kaspersky, these proxy capabilities enable attackers to move through internal networks while concealing their original locations. Researchers also found that GoSerpent deploys several additional tools, including ThumbcacheService for collecting sensitive files, Mimikatz for extracting credentials from the Local Security Authority Subsystem Service process, and QuarksDumpLocalHash for obtaining password hashes stored in the Windows Security Account Manager registry database. Another malware component known as McMx RAT was also identified during the campaign, providing lightweight remote access, proxy services, file transfers, and remote shell functionality.

After months of covert activity, the attackers reportedly returned to compromised environments during May 2026 with another set of advanced tools that expanded their espionage capabilities. Kaspersky identified the deployment of Stowaway, a proxy and remote access utility supporting SOCKS5 proxying, reverse tunneling, port forwarding, secure shell tunneling, remote shell access, and file transfers. Researchers also observed a C++ based loader called TmcLoader, which decrypts and launches an encrypted payload known as TmcPayload. This component was specifically designed to exfiltrate sensitive information that had already been collected from victim systems. Kaspersky noted that the progression from ThumbcacheService, which gathers files over an extended period, to TmcLoader and TmcPayload for final data theft demonstrates carefully planned operational procedures rather than opportunistic attacks. Although the company stopped short of attributing the campaign to a specific threat actor, it found similarities in targeting methods, operational techniques, and technical capabilities with TetrisPhantom, a sophisticated cyber espionage operation first documented by Kaspersky in October 2023. That earlier campaign targeted government organizations across the Asia Pacific region by exploiting hardware encrypted secure USB devices to secretly collect and transfer sensitive information between computer systems.

In a related development, cybersecurity company Cyderes Howler Cell disclosed another cyber espionage campaign targeting military and defense organizations in Bangladesh. Researchers attributed the activity to DoNot Team, which reportedly distributed spear phishing emails containing malicious Rich Text Format documents. The documents used remote template injection to retrieve VBA macros that delivered architecture aware shellcode through callback based application programming interface techniques. According to the researchers, server side geofencing limited payload delivery to intended victims located within the target region, while users outside the targeted area received harmless templates. The malware eventually installed a DLL implant that established persistence through scheduled tasks disguised as OneDrive telemetry, collected system information, communicated with command and control infrastructure over HTTPS, and delivered a second stage DLL called ejtest.dll capable of downloading additional payloads. Cyderes Howler Cell linked the operation to DoNot Team based on similarities in command and control infrastructure, matching AES encryption keys, VBA based shellcode delivery methods, and geofenced payload distribution. Together, the findings highlight the continued use of advanced malware frameworks and modular espionage toolsets designed to maintain persistent access, harvest sensitive information, and support long term intelligence collection against government and diplomatic organizations across the Asia Pacific region.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment