GoSerpent Malware Strikes Southeast Asia, Linked to TetrisPhantom APT
A previously undocumented malware, **GoSerpent**, has been actively targeting government and diplomatic entities in Southeast Asia since late 2025. Uncovered by **Kaspersky**, this sophisticated threat focuses on long-term access and intelligence gathering, deploying a suite of tools for data exfiltration and credential dumping. The campaign shows significant overlaps with the **TetrisPhantom** APT.
Cybersecurity researchers have unearthed **GoSerpent**, a new malware variant employed in cyberattacks against Southeast Asian organizations since late 2025. The primary objective of these ongoing operations is to establish long-term access and facilitate intelligence gathering.
**Kaspersky**, the Russian cybersecurity firm that identified the activity in February 2026, confirmed that government and diplomatic entities in the region are the primary targets. **GoSerpent** is designed to communicate with external servers, enabling the deployment of secondary payloads for sensitive data collection and credential dumping.
"Monitoring the activities of this threat actor revealed that in May 2026 they came back with an evolved set of malicious tools: new **Stowaway RAT** and proxy tool which resembled the initial malware as well as an additional stealthy tool to exfiltrate sensitive data collected for the previous few months through network share," stated security researcher Noushin Shabab.
The ultimate goal of these efforts is to harvest sensitive files and prepare them for subsequent exfiltration using a data collection tool named **ThumbcacheService**. The attacks also leverage credential dumping tools via **GoSerpent** to capture system credentials, crucial for facilitating data exfiltration through network shared drives.
Earlier iterations of the Go-based implant and remote access trojan (**RAT**) have been in use since 2021 against victims in Southeast Asia, with the most recent variants deployed this year.
### How GoSerpent Operates
The malware functions by receiving encrypted and Base64-encoded command-line arguments. These arguments contain the command-and-control (**C2**) address and a communication password. Once decrypted, the backdoor establishes an encrypted connection to the **C2** server, using the SHA256 hash of the communication password as the encryption key.
**GoSerpent** supports a range of commands, including:
* Alerting the server of an active infection
* Starting or closing a listening port
* Connecting to a remote server
* Spawning a shell on the infected machine
* Uploading or downloading files and directories
* Initiating a **SOCKS5** proxy
* Forwarding traffic to a connected node
"**GoSerpent** can establish **SOCKS5** proxy servers to route traffic through compromised hosts, enabling attackers to access other networks while masking their true IP addresses," **Kaspersky** explained. "The backdoor is capable of deploying additional malicious tools, including **ThumbcacheService** for file collection, **Mimikatz** for credential dumping, and **QuarksDumpLocalHash** for local account password hash extraction."
### Associated Malicious Tools
Throughout the attacks, several other tools have been deployed:
* **McMx RAT**: A basic Go-based proxy and **RAT**, offering **SOCKS5** proxying, port forwarding, file transfer, and remote shell capabilities.
* **ThumbcacheService**: A DLL that enhances **GoSerpent** with sophisticated file collection mechanisms.
* **Mimikatz**: Utilized to dump memory from the Local Security Authority Subsystem Service (**LSASS**) process to extract credential material.
* **QuarksDumpLocalHash**: Designed to extract local account password hashes from the **SAM** registry hive.
After months of covert data harvesting, the threat actors reportedly re-entered the compromised environment in May 2026 to deploy a new set of tools:
* **Stowaway**: A proxy and **RAT** with **SOCKS5** proxying, port forwarding, reverse tunneling, remote shell access, file transfer, and SSH-based tunneling features.
* **TmcLoader**: A C++ loader module containing an encrypted payload.
* **TmcPayload**: Used to exfiltrate stored sensitive data from the victim's machine.
"What makes this threat particularly concerning is the strategic deployment of various tools with sophisticated data collection and exfiltration capabilities," **Kaspersky** noted. "The chain from **ThumbcacheService** to **TmcLoader**/**TmcPayload** demonstrates sophisticated operational planning."
### Link to TetrisPhantom APT
While definitive attribution remains challenging, **Kaspersky** indicates that the campaign shares targeting, technical capabilities, and operational overlaps with **TetrisPhantom**. This "highly skilled and resourceful threat actor" was first documented by **Kaspersky** in October 2023, targeting government entities in the Asia-Pacific (**APAC**) region.
"The attacker covertly spied on and harvested sensitive data from **APAC** government entities by exploiting a particular type of secure USB drive, protected by hardware encryption to ensure the secure storage and transfer of data between computer systems," the company detailed at the time.
### DoNot Team's Espionage Operations

This disclosure comes as **Cyderes Howler Cell** revealed a targeted cyber espionage operation by the **DoNot Team**. This group is specifically targeting Bangladesh's military and defense establishments. The attack employs spear-phishing emails containing malware-laced **RTF** documents to drop a DLL implant. This implant establishes scheduled-task persistence, disguised as **OneDrive** telemetry, profiles the host, and beacons to a **C2** server over **HTTPS**.
"The **RTF** uses remote template injection to fetch a **VBA** macro, with server-side geofencing restricting payload delivery to victims inside the target region," explained researchers Reegun Jayapaul, Rahul Ramesh, and Baskar M. "Once the macro runs, it injects architecture-aware shellcode through callback-based API abuse. The shellcode moves through several XOR-encoded stages, each pulled from the same **C2** domain under benign-looking file extensions."
The implant then delivers a second-stage DLL (**"ejtest.dll"**), which features modular download capabilities for follow-on payloads. Attribution to the **DoNot Team** is based on similar **C2 URI** paths, matching **AES** key material, **VBA**-based shellcode injection techniques, and geofenced payload delivery that serves clean templates to non-targets.