<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Southeast-Asia - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/southeast-asia/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 12:11:13 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/southeast-asia/feed.xml" rel="self" type="application/rss+xml"/><item><title>GoSerpent Backdoor and Stowaway RAT Target Government Entities in Southeast Asia for Data Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2026-07-goserpent-backdoor-southeast-asia/</link><pubDate>Thu, 16 Jul 2026 12:11:13 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-goserpent-backdoor-southeast-asia/</guid><description>An unnamed threat actor is deploying a sophisticated two-phase attack, utilizing the GoSerpent backdoor, Stowaway RAT, and custom tools like ThumbcacheService and TmcLoader/TmcPayload, to persistently collect sensitive data and credentials from government and diplomatic entities in Southeast Asia for exfiltration.</description><content:encoded><![CDATA[<p>Since late 2025, an unnamed threat actor has been conducting a persistent, two-phase campaign targeting government and diplomatic organizations in Southeast Asia. The initial phase leverages the GoSerpent backdoor, a Go-based remote access Trojan first observed in 2021, which utilizes encrypted command-line arguments for C2 communication and masquerades as legitimate processes (<code>lass.exe</code>, <code>updates.exe</code>). GoSerpent is used to deploy additional tools, including a data collection utility named ThumbcacheService, and credential dumping tools like Mimikatz and QuarksDumpLocalHash. After several weeks of data and credential collection, a second phase begins, involving the deployment of the Stowaway RAT and the TmcLoader/TmcPayload module for stealthy, automated data exfiltration through network shares. This sophisticated operation demonstrates a high level of planning and technical capability focused on long-term data theft.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Deployment</strong>: The GoSerpent backdoor, a Go-based remote access Trojan, is deployed on target systems. This variant receives encrypted and base64-encoded command-line arguments containing C2 server addresses and communication passwords.</li>
<li><strong>Persistence and Tool Delivery</strong>: GoSerpent establishes persistence by using filenames that mimic legitimate system processes (e.g., <code>lass.exe</code>, <code>updates.exe</code>) and is then used to deploy secondary malicious tools.</li>
<li><strong>Data Collection Setup</strong>: GoSerpent deploys <code>ThumbcacheService</code>, a malicious DLL registered as a Windows service. This service collects <code>.doc</code>, <code>.docx</code>, <code>.pdf</code>, <code>.xls</code>, and <code>.xlsx</code> files, archives them with 7-Zip using a specific password (<code>@vx0a9n5W2M0c3D6.#</code>), and stores them in <code>C:\Users\Public\thumbcache_605a.db</code>.</li>
<li><strong>Credential Dumping</strong>: Concurrently, GoSerpent deploys credential dumping tools such as Mimikatz and QuarksDumpLocalHash to extract cached credentials from LSASS and local account password hashes from the SAM registry hive.</li>
<li><strong>Second Stage RAT Deployment</strong>: After a period of data collection, the actor deploys <code>Stowaway</code>, another Go-based RAT and proxy tool, which supports SOCKS5 proxying, port forwarding, and remote shell access via TCP, HTTP, or WebSocket, encrypted with AES-256-GCM or TLS.</li>
<li><strong>Exfiltration Module Delivery</strong>: <code>Stowaway</code> delivers <code>TmcLoader</code> (a C++ loader registered as a Windows service) and an encrypted configuration file <code>{BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}.db</code> to the victim machine.</li>
<li><strong>Payload Injection</strong>: <code>TmcLoader</code> decrypts an embedded payload, <code>TmcPayload</code>, and injects it into the memory space of <code>svchost.exe</code> to maintain persistence and evade detection.</li>
<li><strong>Automated Data Exfiltration</strong>: <code>TmcPayload</code> uses the previously collected credentials to access a network share and exfiltrate the sensitive archived data collected by <code>ThumbcacheService</code>.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of these attacks includes significant data breaches, specifically the theft of sensitive documents (Microsoft Office files, PDFs) and system credentials from government and diplomatic entities in Southeast Asia. This persistent threat model allows the actor to establish long-term access, continuously collect intelligence, and exfiltrate information over an extended period. Successful compromise could lead to espionage, loss of intellectual property, and compromise of critical government operations, potentially affecting national security and international relations for victim countries.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment.</li>
<li>Enable Sysmon event logging for process creation (<code>Event ID 1</code>), file creation (<code>Event ID 11</code>), and registry modifications (<code>Event ID 12/13/14</code>) to activate the rules above.</li>
<li>Monitor for the creation of <code>ThumbcacheService</code> and <code>TmcLoader</code> as new Windows services using the <code>Detect GoSerpent Related Service Creation</code> rule.</li>
<li>Monitor for the creation of unique database files <code>thumbcache_605a.db</code> and <code>{BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}.db</code> in <code>C:\Users\Public\</code> and <code>C:\Users\Public\Libraries\</code> as detected by the <code>Detect GoSerpent Related Database File Creation</code> rule.</li>
<li>Implement strong application whitelisting and monitor for the execution of known credential dumping tools like Mimikatz or QuarksDumpLocalHash, as detected by the <code>Detect GoSerpent Credential Dumping Tools Execution</code> rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>backdoor</category><category>rat</category><category>data-exfiltration</category><category>government</category><category>southeast-asia</category></item></channel></rss>