GoSerpent Backdoor and Stowaway RAT Target Government Entities in Southeast Asia for Data Exfiltration
An unnamed threat actor is deploying a sophisticated two-phase attack, utilizing the GoSerpent backdoor, Stowaway RAT, and custom tools like ThumbcacheService and TmcLoader/TmcPayload, to persistently collect sensitive data and credentials from government and diplomatic entities in Southeast Asia for exfiltration.
Since late 2025, an unnamed threat actor has been conducting a persistent, two-phase campaign targeting government and diplomatic organizations in Southeast Asia. The initial phase leverages the GoSerpent backdoor, a Go-based remote access Trojan first observed in 2021, which utilizes encrypted command-line arguments for C2 communication and masquerades as legitimate processes (lass.exe, updates.exe). GoSerpent is used to deploy additional tools, including a data collection utility named ThumbcacheService, and credential dumping tools like Mimikatz and QuarksDumpLocalHash. After several weeks of data and credential collection, a second phase begins, involving the deployment of the Stowaway RAT and the TmcLoader/TmcPayload module for stealthy, automated data exfiltration through network shares. This sophisticated operation demonstrates a high level of planning and technical capability focused on long-term data theft.
Attack Chain
- Initial Deployment: The GoSerpent backdoor, a Go-based remote access Trojan, is deployed on target systems. This variant receives encrypted and base64-encoded command-line arguments containing C2 server addresses and communication passwords.
- Persistence and Tool Delivery: GoSerpent establishes persistence by using filenames that mimic legitimate system processes (e.g.,
lass.exe,updates.exe) and is then used to deploy secondary malicious tools. - Data Collection Setup: GoSerpent deploys
ThumbcacheService, a malicious DLL registered as a Windows service. This service collects.doc,.docx,.pdf,.xls, and.xlsxfiles, archives them with 7-Zip using a specific password (@vx0a9n5W2M0c3D6.#), and stores them inC:\Users\Public\thumbcache_605a.db. - Credential Dumping: Concurrently, GoSerpent deploys credential dumping tools such as Mimikatz and QuarksDumpLocalHash to extract cached credentials from LSASS and local account password hashes from the SAM registry hive.
- Second Stage RAT Deployment: After a period of data collection, the actor deploys
Stowaway, another Go-based RAT and proxy tool, which supports SOCKS5 proxying, port forwarding, and remote shell access via TCP, HTTP, or WebSocket, encrypted with AES-256-GCM or TLS. - Exfiltration Module Delivery:
StowawaydeliversTmcLoader(a C++ loader registered as a Windows service) and an encrypted configuration file{BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}.dbto the victim machine. - Payload Injection:
TmcLoaderdecrypts an embedded payload,TmcPayload, and injects it into the memory space ofsvchost.exeto maintain persistence and evade detection. - Automated Data Exfiltration:
TmcPayloaduses the previously collected credentials to access a network share and exfiltrate the sensitive archived data collected byThumbcacheService.
Impact
The impact of these attacks includes significant data breaches, specifically the theft of sensitive documents (Microsoft Office files, PDFs) and system credentials from government and diplomatic entities in Southeast Asia. This persistent threat model allows the actor to establish long-term access, continuously collect intelligence, and exfiltrate information over an extended period. Successful compromise could lead to espionage, loss of intellectual property, and compromise of critical government operations, potentially affecting national security and international relations for victim countries.
Recommendation
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
- Enable Sysmon event logging for process creation (
Event ID 1), file creation (Event ID 11), and registry modifications (Event ID 12/13/14) to activate the rules above. - Monitor for the creation of
ThumbcacheServiceandTmcLoaderas new Windows services using theDetect GoSerpent Related Service Creationrule. - Monitor for the creation of unique database files
thumbcache_605a.dband{BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}.dbinC:\Users\Public\andC:\Users\Public\Libraries\as detected by theDetect GoSerpent Related Database File Creationrule. - Implement strong application whitelisting and monitor for the execution of known credential dumping tools like Mimikatz or QuarksDumpLocalHash, as detected by the
Detect GoSerpent Credential Dumping Tools Executionrule.
Detection coverage 3
Detect GoSerpent Related Service Creation
highDetects the creation of Windows services related to the GoSerpent campaign, specifically ThumbcacheService and TmcLoader, used for data collection and exfiltration.
Detect GoSerpent Related Database File Creation
highDetects the creation of specific database files (thumbcache_605a.db, {BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}.db) used by the GoSerpent campaign for data collection and configuration.
Detect GoSerpent Credential Dumping Tools Execution
criticalDetects the execution of Mimikatz or QuarksDumpLocalHash, tools deployed by GoSerpent for credential access.
Detection queries are available on the platform. Get full rules →