Skip to content
Threat Feed
high advisory

New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

A sophisticated Go-based implant, dubbed GoSerpent, has been utilized by an unidentified threat actor since late 2025 to conduct cyber espionage against government and diplomatic entities in Southeast Asia, focusing on long-term access, sensitive data collection, and credential dumping for exfiltration.

Since late 2025, a previously undocumented Go-based malware named GoSerpent has been actively targeting government and diplomatic entities across Southeast Asia. Discovered by Kaspersky in February 2026, this advanced persistent threat is designed for long-term access and intelligence gathering, evolving its toolset as recently as May 2026. The primary objective of the campaign is espionage, involving the collection of sensitive data, credential dumping, and subsequent exfiltration. The malware functions by receiving encrypted and Base64-encoded command-and-control (C2) details via command-line arguments, establishing secure communication, and deploying a variety of specialized tools. These tools include ThumbcacheService for sophisticated file collection, Mimikatz and QuarksDumpLocalHash for credential theft, and Stowaway and TmcPayload for advanced proxying, remote access, and data exfiltration, indicating a highly organized and stealthy operation.

Attack Chain

  1. Initial Compromise and GoSerpent Deployment: Unspecified initial access methods are used to deploy the GoSerpent implant onto target systems.
  2. C2 Communication Establishment: Upon execution, GoSerpent receives encrypted and Base64-encoded command-line arguments containing the C2 address and a communication password. It decrypts these arguments and establishes an encrypted connection to the C2 server, using the SHA256 hash of the communication password as the encryption key.
  3. Command Execution and Tool Deployment: GoSerpent receives commands from the C2 server, enabling it to spawn shells, transfer files, and deploy secondary malicious tools like ThumbcacheService, Mimikatz, and QuarksDumpLocalHash.
  4. Credential Dumping: The threat actor deploys Mimikatz to extract credential material from the Local Security Authority Subsystem Service (LSASS) process and QuarksDumpLocalHash to retrieve local account password hashes from the Security Account Manager (SAM) registry hive.
  5. Data Collection: ThumbcacheService, a malicious DLL, is used to identify and collect sensitive files from the compromised system, preparing them for exfiltration.
  6. SOCKS5 Proxy for Network Access: GoSerpent establishes SOCKS5 proxy servers on compromised hosts, allowing attackers to route traffic, access other internal networks, and mask their true IP addresses.
  7. Re-engagement and Advanced Tooling: In May 2026, the threat actor re-engages with compromised environments, deploying evolved tools including Stowaway (a comprehensive proxy and remote access tool), TmcLoader (a C++ loader), and TmcPayload.
  8. Final Data Exfiltration: TmcPayload is executed to exfiltrate the previously collected sensitive data from the victim's machine, often leveraging network shared drives.

Impact

The impact of the GoSerpent campaign is significant, primarily focusing on cyber espionage against government and diplomatic entities in Southeast Asia. Successful attacks lead to long-term unauthorized access to sensitive systems, extensive intelligence gathering, and the theft of critical government and diplomatic information. The compromise involves credential dumping, allowing attackers to escalate privileges and move laterally within the network. The exfiltration of sensitive files poses a severe risk of national security breaches, diplomatic incidents, and loss of classified information. Although specific victim counts are not provided, the targeting of such high-value entities indicates a potential for severe strategic and operational damage.

Recommendation

  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect credential dumping activities.
  • Enable Sysmon process-creation logging to capture executions of tools like Mimikatz and QuarksDumpLocalHash.
  • Monitor for the creation or execution of unusual .dll files such as ThumbcacheService, TmcLoader, and TmcPayload at relevant log sources.
  • Review network connection logs for outgoing SOCKS5 proxy connections initiated by unusual processes.

Detection coverage 2

Detect Mimikatz Execution

high

Detects the execution of Mimikatz, a tool commonly used for credential dumping from LSASS. GoSerpent deploys Mimikatz for credential theft.

sigma tactics: credential_access techniques: T1003.001, T1003.002 sources: process_creation, windows

Detect QuarksDumpLocalHash Execution

high

Detects the execution of QuarksDumpLocalHash, a tool used to extract local account password hashes from the SAM registry hive. GoSerpent deploys this tool for hash extraction.

sigma tactics: credential_access techniques: T1003.002 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →