{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/southeast-asia/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["backdoor","rat","data-exfiltration","government","southeast-asia"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSince late 2025, an unnamed threat actor has been conducting a persistent, two-phase campaign targeting government and diplomatic organizations in Southeast Asia. The initial phase leverages the GoSerpent backdoor, a Go-based remote access Trojan first observed in 2021, which utilizes encrypted command-line arguments for C2 communication and masquerades as legitimate processes (\u003ccode\u003elass.exe\u003c/code\u003e, \u003ccode\u003eupdates.exe\u003c/code\u003e). GoSerpent is used to deploy additional tools, including a data collection utility named ThumbcacheService, and credential dumping tools like Mimikatz and QuarksDumpLocalHash. After several weeks of data and credential collection, a second phase begins, involving the deployment of the Stowaway RAT and the TmcLoader/TmcPayload module for stealthy, automated data exfiltration through network shares. This sophisticated operation demonstrates a high level of planning and technical capability focused on long-term data theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Deployment\u003c/strong\u003e: The GoSerpent backdoor, a Go-based remote access Trojan, is deployed on target systems. This variant receives encrypted and base64-encoded command-line arguments containing C2 server addresses and communication passwords.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence and Tool Delivery\u003c/strong\u003e: GoSerpent establishes persistence by using filenames that mimic legitimate system processes (e.g., \u003ccode\u003elass.exe\u003c/code\u003e, \u003ccode\u003eupdates.exe\u003c/code\u003e) and is then used to deploy secondary malicious tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection Setup\u003c/strong\u003e: GoSerpent deploys \u003ccode\u003eThumbcacheService\u003c/code\u003e, a malicious DLL registered as a Windows service. This service collects \u003ccode\u003e.doc\u003c/code\u003e, \u003ccode\u003e.docx\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.xls\u003c/code\u003e, and \u003ccode\u003e.xlsx\u003c/code\u003e files, archives them with 7-Zip using a specific password (\u003ccode\u003e@vx0a9n5W2M0c3D6.#\u003c/code\u003e), and stores them in \u003ccode\u003eC:\\Users\\Public\\thumbcache_605a.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Dumping\u003c/strong\u003e: Concurrently, GoSerpent deploys credential dumping tools such as Mimikatz and QuarksDumpLocalHash to extract cached credentials from LSASS and local account password hashes from the SAM registry hive.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecond Stage RAT Deployment\u003c/strong\u003e: After a period of data collection, the actor deploys \u003ccode\u003eStowaway\u003c/code\u003e, another Go-based RAT and proxy tool, which supports SOCKS5 proxying, port forwarding, and remote shell access via TCP, HTTP, or WebSocket, encrypted with AES-256-GCM or TLS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration Module Delivery\u003c/strong\u003e: \u003ccode\u003eStowaway\u003c/code\u003e delivers \u003ccode\u003eTmcLoader\u003c/code\u003e (a C++ loader registered as a Windows service) and an encrypted configuration file \u003ccode\u003e{BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}.db\u003c/code\u003e to the victim machine.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Injection\u003c/strong\u003e: \u003ccode\u003eTmcLoader\u003c/code\u003e decrypts an embedded payload, \u003ccode\u003eTmcPayload\u003c/code\u003e, and injects it into the memory space of \u003ccode\u003esvchost.exe\u003c/code\u003e to maintain persistence and evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAutomated Data Exfiltration\u003c/strong\u003e: \u003ccode\u003eTmcPayload\u003c/code\u003e uses the previously collected credentials to access a network share and exfiltrate the sensitive archived data collected by \u003ccode\u003eThumbcacheService\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of these attacks includes significant data breaches, specifically the theft of sensitive documents (Microsoft Office files, PDFs) and system credentials from government and diplomatic entities in Southeast Asia. This persistent threat model allows the actor to establish long-term access, continuously collect intelligence, and exfiltrate information over an extended period. Successful compromise could lead to espionage, loss of intellectual property, and compromise of critical government operations, potentially affecting national security and international relations for victim countries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event logging for process creation (\u003ccode\u003eEvent ID 1\u003c/code\u003e), file creation (\u003ccode\u003eEvent ID 11\u003c/code\u003e), and registry modifications (\u003ccode\u003eEvent ID 12/13/14\u003c/code\u003e) to activate the rules above.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of \u003ccode\u003eThumbcacheService\u003c/code\u003e and \u003ccode\u003eTmcLoader\u003c/code\u003e as new Windows services using the \u003ccode\u003eDetect GoSerpent Related Service Creation\u003c/code\u003e rule.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of unique database files \u003ccode\u003ethumbcache_605a.db\u003c/code\u003e and \u003ccode\u003e{BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}.db\u003c/code\u003e in \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e and \u003ccode\u003eC:\\Users\\Public\\Libraries\\\u003c/code\u003e as detected by the \u003ccode\u003eDetect GoSerpent Related Database File Creation\u003c/code\u003e rule.\u003c/li\u003e\n\u003cli\u003eImplement strong application whitelisting and monitor for the execution of known credential dumping tools like Mimikatz or QuarksDumpLocalHash, as detected by the \u003ccode\u003eDetect GoSerpent Credential Dumping Tools Execution\u003c/code\u003e rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T12:11:13Z","date_published":"2026-07-16T12:11:13Z","id":"https://feed.craftedsignal.io/briefs/2026-07-goserpent-backdoor-southeast-asia/","summary":"An unnamed threat actor is deploying a sophisticated two-phase attack, utilizing the GoSerpent backdoor, Stowaway RAT, and custom tools like ThumbcacheService and TmcLoader/TmcPayload, to persistently collect sensitive data and credentials from government and diplomatic entities in Southeast Asia for exfiltration.","title":"GoSerpent Backdoor and Stowaway RAT Target Government Entities in Southeast Asia for Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-07-goserpent-backdoor-southeast-asia/"}],"language":"en","title":"CraftedSignal Threat Feed - Southeast-Asia","version":"https://jsonfeed.org/version/1.1"}