216.73.217.19

GoSerpent backdoor attacks in Southeast Asia

· Published 16/07/2026 18:15

Export JSON

Essential information

Published
16/07/2026 18:15
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
credential dumping data exfiltration diplomatic entities goserpent government targeting mcmx mimikatz proxy capabilities quarksdumplocalhash southeast asia stowaway thumbcacheservice tmcloader tmcpayload
Related entities
2 indicators, 2 observables, 1 intrusion sets (apt), 20 techniques (mitre), 8 malware

Description

Since late 2025, government and diplomatic entities in have been targeted by sophisticated attacks involving GoSerpent, a Go-based RAT with proxy capabilities. The malware receives encrypted arguments and deploys additional tools for data collection and . GoSerpent has been active since 2021, with newer variants using AES-CBC encryption and ChaCha20 for communications. The campaign involves multiple stages: initial deployment of GoSerpent and ThumbcacheService to collect sensitive files, via and QuarksDumpLocalHash, followed by deployment of RAT in May 2026 and TmcLoader/TmcPayload for stealthy through network shares. The integrated toolset demonstrates sophisticated operational planning, with attackers leveraging Alibaba Cloud and UCLOUD HK infrastructure while exhibiting possible connections to the TetrisPhantom threat actor.

External references