New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage
A sophisticated Go-based implant, dubbed GoSerpent, has been utilized by an unidentified threat actor since late 2025 to conduct cyber espionage against government and diplomatic entities in Southeast Asia, focusing on long-term access, sensitive data collection, and credential dumping for exfiltration.
Since late 2025, a previously undocumented Go-based malware named GoSerpent has been actively targeting government and diplomatic entities across Southeast Asia. Discovered by Kaspersky in February 2026, this advanced persistent threat is designed for long-term access and intelligence gathering, evolving its toolset as recently as May 2026. The primary objective of the campaign is espionage, involving the collection of sensitive data, credential dumping, and subsequent exfiltration. The malware functions by receiving encrypted and Base64-encoded command-and-control (C2) details via command-line arguments, establishing secure communication, and deploying a variety of specialized tools. These tools include ThumbcacheService for sophisticated file collection, Mimikatz and QuarksDumpLocalHash for credential theft, and Stowaway and TmcPayload for advanced proxying, remote access, and data exfiltration, indicating a highly organized and stealthy operation.
Attack Chain
- Initial Compromise and GoSerpent Deployment: Unspecified initial access methods are used to deploy the GoSerpent implant onto target systems.
- C2 Communication Establishment: Upon execution, GoSerpent receives encrypted and Base64-encoded command-line arguments containing the C2 address and a communication password. It decrypts these arguments and establishes an encrypted connection to the C2 server, using the SHA256 hash of the communication password as the encryption key.
- Command Execution and Tool Deployment: GoSerpent receives commands from the C2 server, enabling it to spawn shells, transfer files, and deploy secondary malicious tools like
ThumbcacheService,Mimikatz, andQuarksDumpLocalHash. - Credential Dumping: The threat actor deploys
Mimikatzto extract credential material from the Local Security Authority Subsystem Service (LSASS) process andQuarksDumpLocalHashto retrieve local account password hashes from the Security Account Manager (SAM) registry hive. - Data Collection:
ThumbcacheService, a malicious DLL, is used to identify and collect sensitive files from the compromised system, preparing them for exfiltration. - SOCKS5 Proxy for Network Access: GoSerpent establishes SOCKS5 proxy servers on compromised hosts, allowing attackers to route traffic, access other internal networks, and mask their true IP addresses.
- Re-engagement and Advanced Tooling: In May 2026, the threat actor re-engages with compromised environments, deploying evolved tools including
Stowaway(a comprehensive proxy and remote access tool),TmcLoader(a C++ loader), andTmcPayload. - Final Data Exfiltration:
TmcPayloadis executed to exfiltrate the previously collected sensitive data from the victim's machine, often leveraging network shared drives.
Impact
The impact of the GoSerpent campaign is significant, primarily focusing on cyber espionage against government and diplomatic entities in Southeast Asia. Successful attacks lead to long-term unauthorized access to sensitive systems, extensive intelligence gathering, and the theft of critical government and diplomatic information. The compromise involves credential dumping, allowing attackers to escalate privileges and move laterally within the network. The exfiltration of sensitive files poses a severe risk of national security breaches, diplomatic incidents, and loss of classified information. Although specific victim counts are not provided, the targeting of such high-value entities indicates a potential for severe strategic and operational damage.
Recommendation
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect credential dumping activities.
- Enable Sysmon process-creation logging to capture executions of tools like Mimikatz and QuarksDumpLocalHash.
- Monitor for the creation or execution of unusual
.dllfiles such asThumbcacheService,TmcLoader, andTmcPayloadat relevant log sources. - Review network connection logs for outgoing SOCKS5 proxy connections initiated by unusual processes.
Detection coverage 2
Detect Mimikatz Execution
highDetects the execution of Mimikatz, a tool commonly used for credential dumping from LSASS. GoSerpent deploys Mimikatz for credential theft.
Detect QuarksDumpLocalHash Execution
highDetects the execution of QuarksDumpLocalHash, a tool used to extract local account password hashes from the SAM registry hive. GoSerpent deploys this tool for hash extraction.
Detection queries are available on the platform. Get full rules →