GoSerpent backdoor attacks in Southeast Asia
Essential information
- Published
- 16/07/2026 18:15
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- credential dumping data exfiltration diplomatic entities goserpent government targeting mcmx mimikatz proxy capabilities quarksdumplocalhash southeast asia stowaway thumbcacheservice tmcloader tmcpayload
- Related entities
- 2 indicators, 2 observables, 1 intrusion sets (apt), 20 techniques (mitre), 8 malware
Description
Since late 2025, government and diplomatic entities in Southeast Asia have been targeted by sophisticated attacks involving GoSerpent, a Go-based RAT with proxy capabilities. The malware receives encrypted arguments and deploys additional tools for data collection and credential dumping. GoSerpent has been active since 2021, with newer variants using AES-CBC encryption and ChaCha20 for communications. The campaign involves multiple stages: initial deployment of GoSerpent and ThumbcacheService to collect sensitive files, credential dumping via Mimikatz and QuarksDumpLocalHash, followed by deployment of Stowaway RAT in May 2026 and TmcLoader/TmcPayload for stealthy data exfiltration through network shares. The integrated toolset demonstrates sophisticated operational planning, with attackers leveraging Alibaba Cloud and UCLOUD HK infrastructure while exhibiting possible connections to the TetrisPhantom threat actor.