GoSerpent backdoor attacks in Southeast Asia
Since late 2025, government and diplomatic entities in Southeast Asia have been targeted by sophisticated attacks involving GoSerpent, a Go-based remote access trojan (RAT) with proxy capabilities. The malware uses encrypted communications and deploys multiple tools for data collection and credential dumping. The campaign includes several stages, such as initial deployment of GoSerpent and ThumbcacheService for file collection, credential dumping using Mimikatz and QuarksDumpLocalHash, and later deployment of Stowaway RAT and TmcLoader/TmcPayload for stealthy data exfiltration via network shares. The attackers leverage cloud infrastructure and are possibly linked to the TetrisPhantom threat actor. No specific software versions are affected, and no patches are available as this is malware rather than a software vulnerability.
AI Analysis
Technical Summary
The GoSerpent backdoor campaign targets government and diplomatic entities in Southeast Asia using a multi-stage attack involving a Go-based RAT with proxy capabilities. Active since 2021, newer variants use AES-CBC and ChaCha20 encryption for communications. The attack chain includes deploying GoSerpent and ThumbcacheService for sensitive file collection, credential dumping via Mimikatz and QuarksDumpLocalHash, followed by deployment of Stowaway RAT and TmcLoader/TmcPayload for covert data exfiltration through network shares. The operation demonstrates sophisticated planning and infrastructure use, including Alibaba Cloud and UCLOUD HK, with possible attribution to the TetrisPhantom threat actor. This is a malware campaign, not a software vulnerability, and no patches apply.
Potential Impact
The campaign enables attackers to collect sensitive files, dump credentials, and exfiltrate data stealthily from targeted government and diplomatic networks in Southeast Asia. The use of multiple tools and encrypted communications increases the difficulty of detection and mitigation. The compromise of credentials and sensitive data can lead to significant operational and intelligence losses for affected entities.
Mitigation Recommendations
As this is a malware campaign rather than a software vulnerability, no patches or official fixes exist. Organizations should focus on detection and response measures tailored to the indicators of compromise associated with GoSerpent and related tools. Monitoring for the provided hashes and IP addresses, restricting use of network shares, and employing endpoint detection solutions capable of identifying credential dumping and proxy RAT activity are recommended. Review the referenced vendor advisory for detailed detection and response guidance. Patch status is not applicable.
Indicators of Compromise
- hash: ebffd5a76aaa690bcdb922f82e0bacc5
- hash: dc506ff7bb72735444fb3703a6bee6d8
- hash: d6e86bf8a90e9b632add5fa495f97fbc
- hash: cb6c4c70a3b171fa3404b8e1a3382116
- hash: 64e9d1950e42bc98486dfd9919463d1c
- hash: cbbb6d483737ea3566726e51752dff40
- hash: 7f223ee0716ce2ad56f55d3744419449
- hash: 19f8befcb035f52bf70094e6b4f5779a
- hash: 846ef7c1c7323849b2a778c5e4cda162
- hash: d08a059e8b815e3b891505bc8777fc28
- hash: 93a1569d5d5ab2c4761fedf84f83709e
- ip: 144.48.6.46
- ip: 103.138.13.30
- hash: 31323334353637383930616263646566
GoSerpent backdoor attacks in Southeast Asia
Description
Since late 2025, government and diplomatic entities in Southeast Asia have been targeted by sophisticated attacks involving GoSerpent, a Go-based remote access trojan (RAT) with proxy capabilities. The malware uses encrypted communications and deploys multiple tools for data collection and credential dumping. The campaign includes several stages, such as initial deployment of GoSerpent and ThumbcacheService for file collection, credential dumping using Mimikatz and QuarksDumpLocalHash, and later deployment of Stowaway RAT and TmcLoader/TmcPayload for stealthy data exfiltration via network shares. The attackers leverage cloud infrastructure and are possibly linked to the TetrisPhantom threat actor. No specific software versions are affected, and no patches are available as this is malware rather than a software vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The GoSerpent backdoor campaign targets government and diplomatic entities in Southeast Asia using a multi-stage attack involving a Go-based RAT with proxy capabilities. Active since 2021, newer variants use AES-CBC and ChaCha20 encryption for communications. The attack chain includes deploying GoSerpent and ThumbcacheService for sensitive file collection, credential dumping via Mimikatz and QuarksDumpLocalHash, followed by deployment of Stowaway RAT and TmcLoader/TmcPayload for covert data exfiltration through network shares. The operation demonstrates sophisticated planning and infrastructure use, including Alibaba Cloud and UCLOUD HK, with possible attribution to the TetrisPhantom threat actor. This is a malware campaign, not a software vulnerability, and no patches apply.
Potential Impact
The campaign enables attackers to collect sensitive files, dump credentials, and exfiltrate data stealthily from targeted government and diplomatic networks in Southeast Asia. The use of multiple tools and encrypted communications increases the difficulty of detection and mitigation. The compromise of credentials and sensitive data can lead to significant operational and intelligence losses for affected entities.
Mitigation Recommendations
As this is a malware campaign rather than a software vulnerability, no patches or official fixes exist. Organizations should focus on detection and response measures tailored to the indicators of compromise associated with GoSerpent and related tools. Monitoring for the provided hashes and IP addresses, restricting use of network shares, and employing endpoint detection solutions capable of identifying credential dumping and proxy RAT activity are recommended. Review the referenced vendor advisory for detailed detection and response guidance. Patch status is not applicable.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/goserpent-backdoor-in-southeast-asia/120687/"]
- Adversary
- TetrisPhantom
- Pulse Id
- 6a590384cb730e14eaafeac5
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashebffd5a76aaa690bcdb922f82e0bacc5 | — | |
hashdc506ff7bb72735444fb3703a6bee6d8 | — | |
hashd6e86bf8a90e9b632add5fa495f97fbc | — | |
hashcb6c4c70a3b171fa3404b8e1a3382116 | — | |
hash64e9d1950e42bc98486dfd9919463d1c | — | |
hashcbbb6d483737ea3566726e51752dff40 | — | |
hash7f223ee0716ce2ad56f55d3744419449 | — | |
hash19f8befcb035f52bf70094e6b4f5779a | — | |
hash846ef7c1c7323849b2a778c5e4cda162 | — | |
hashd08a059e8b815e3b891505bc8777fc28 | — | |
hash93a1569d5d5ab2c4761fedf84f83709e | — | |
hash31323334353637383930616263646566 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip144.48.6.46 | — | |
ip103.138.13.30 | — |
Threat ID: 6a59782068715ace4305c156
Added to database: 07/17/2026, 00:32:32 UTC
Last enriched: 07/17/2026, 00:49:25 UTC
Last updated: 07/17/2026, 01:45:14 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.