Summary Points
- Cyber actors have been deploying the sophisticated GoSerpent malware in Southeast Asia since late 2025, primarily targeting government and diplomatic entities for long-term espionage and credential dumping.
- The threat group utilizes an evolving toolkit—including proxies, remote access tools, and data exfiltration modules like ThumbcacheService and TmcPayload—to covertly collect, stage, and exfiltrate sensitive data.
- Similar targeted operations, exemplified by DoNot Team’s attack on Bangladesh’s military using spear-phishing with malicious macros, highlight advanced eavesdropping strategies leveraging encrypted communications, geofencing, and modular malware payloads.
Threat, Techniques, and Targets
Cybersecurity researchers found a new malware called GoSerpent. It has been attacking entities in Southeast Asia since late 2025. This malware targets government and diplomatic organizations. The main goal is to gather intelligence and keep long-term access.
GoSerpent works by connecting to an external server. It sends and receives commands that are encrypted with Base64 and AES. The malware can run various commands such as alerting the server of an infection, opening ports, connecting to other servers, and spawning shells. It can also upload and download files and set up SOCKS5 proxies.
The malware uses several tools to do its work. These include ThumbcacheService for data collection, Mimikatz for stealing credentials, and QuarksDumpLocalHash for extracting password hashes. Recent versions have added new tools like Stowaway, TmcLoader, and TmcPayload. These tools help exfiltrate data and give the attackers more control over infected systems.
The attacks have evolved over time. Since 2021, different versions of GoSerpent have been used. In May 2026, the attackers added new tools to improve their spying and data theft efforts.
Impact, Security Concerns, and Remediation
The malware poses serious security risks. It allows attackers to secretly monitor and steal sensitive information from government systems. The use of multiple tools and encrypted communications makes detection difficult. The attackers can also route traffic through infected hosts, hiding their location.
Because of the complex attacks, organizations should seek advice from security vendors or authorities for proper defense steps. If affected, organizations should update their security systems and investigate for signs of compromise. Immediate remediation guidance should be obtained from the relevant security vendors or authorities.
Expand Your Tech Knowledge
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
