Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GoSerpent backdoor attacks in Southeast Asia

0
Medium
Published: 07/16/2026 (07/16/2026, 16:15:00 UTC)
Source: AlienVault OTX General

Description

Since late 2025, government and diplomatic entities in Southeast Asia have been targeted by sophisticated attacks involving GoSerpent, a Go-based remote access trojan (RAT) with proxy capabilities. The malware uses encrypted communications and deploys multiple tools for data collection and credential dumping. The campaign includes several stages, such as initial deployment of GoSerpent and ThumbcacheService for file collection, credential dumping using Mimikatz and QuarksDumpLocalHash, and later deployment of Stowaway RAT and TmcLoader/TmcPayload for stealthy data exfiltration via network shares. The attackers leverage cloud infrastructure and are possibly linked to the TetrisPhantom threat actor. No specific software versions are affected, and no patches are available as this is malware rather than a software vulnerability.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/17/2026, 00:49:25 UTC

Technical Analysis

The GoSerpent backdoor campaign targets government and diplomatic entities in Southeast Asia using a multi-stage attack involving a Go-based RAT with proxy capabilities. Active since 2021, newer variants use AES-CBC and ChaCha20 encryption for communications. The attack chain includes deploying GoSerpent and ThumbcacheService for sensitive file collection, credential dumping via Mimikatz and QuarksDumpLocalHash, followed by deployment of Stowaway RAT and TmcLoader/TmcPayload for covert data exfiltration through network shares. The operation demonstrates sophisticated planning and infrastructure use, including Alibaba Cloud and UCLOUD HK, with possible attribution to the TetrisPhantom threat actor. This is a malware campaign, not a software vulnerability, and no patches apply.

Potential Impact

The campaign enables attackers to collect sensitive files, dump credentials, and exfiltrate data stealthily from targeted government and diplomatic networks in Southeast Asia. The use of multiple tools and encrypted communications increases the difficulty of detection and mitigation. The compromise of credentials and sensitive data can lead to significant operational and intelligence losses for affected entities.

Mitigation Recommendations

As this is a malware campaign rather than a software vulnerability, no patches or official fixes exist. Organizations should focus on detection and response measures tailored to the indicators of compromise associated with GoSerpent and related tools. Monitoring for the provided hashes and IP addresses, restricting use of network shares, and employing endpoint detection solutions capable of identifying credential dumping and proxy RAT activity are recommended. Review the referenced vendor advisory for detailed detection and response guidance. Patch status is not applicable.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://securelist.com/goserpent-backdoor-in-southeast-asia/120687/"]
Adversary
TetrisPhantom
Pulse Id
6a590384cb730e14eaafeac5
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashebffd5a76aaa690bcdb922f82e0bacc5
hashdc506ff7bb72735444fb3703a6bee6d8
hashd6e86bf8a90e9b632add5fa495f97fbc
hashcb6c4c70a3b171fa3404b8e1a3382116
hash64e9d1950e42bc98486dfd9919463d1c
hashcbbb6d483737ea3566726e51752dff40
hash7f223ee0716ce2ad56f55d3744419449
hash19f8befcb035f52bf70094e6b4f5779a
hash846ef7c1c7323849b2a778c5e4cda162
hashd08a059e8b815e3b891505bc8777fc28
hash93a1569d5d5ab2c4761fedf84f83709e
hash31323334353637383930616263646566

Ip

ValueDescriptionCopy
ip144.48.6.46
ip103.138.13.30

Threat ID: 6a59782068715ace4305c156

Added to database: 07/17/2026, 00:32:32 UTC

Last enriched: 07/17/2026, 00:49:25 UTC

Last updated: 07/17/2026, 01:45:14 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses