New Go backdoor quietly steals government secrets across Southeast Asia

Researchers have uncovered a long running espionage campaign that used a custom Go based backdoor, dubbed GoSerpent, to quietly steal documents from government and diplomatic organizations across Southeast Asia. The operation, detailed by Kaspersky researcher Noushin Shabab in the original report on Securelist, shows an attacker patiently collecting sensitive files for months before spiriting them out of victim networks.

The activity is not new. Kaspersky says earlier, simpler versions of GoSerpent date back to at least 2021, but the group refreshed its toolkit in late 2025 and returned again in May 2026 with stealthier malware, a sign of a well resourced actor focused on long term access rather than a quick smash and grab.

How the attack works

GoSerpent is a remote access trojan written in Go that receives an encrypted, base64 encoded configuration containing its command and control address and a password. It talks to its operators over ChaCha20 encrypted channels and can open a remote shell, transfer files, and stand up a SOCKS5 proxy on the infected machine, letting the attackers tunnel deeper into a network while hiding their real location. To blend in, the malware masquerades as ordinary Windows processes with filenames like lass.exe and updates.exe.

Once inside, the operators wait. GoSerpent drops a file harvesting tool the researchers call ThumbcacheService, which quietly copies Word, Excel and PDF documents into an encrypted, password protected archive and even watches the Recycle Bin for deleted files of interest. Credential theft tools including Mimikatz and a local password hash dumper run alongside it to grab the logins the attackers will later need. Only weeks afterward does a second stage tool, delivered through an open source proxy framework called Stowaway, use those stolen credentials to push the collected archive out over a network share.

Who is behind it

Attribution is not settled. Kaspersky notes technical and targeting overlaps that point to a possible link with TetrisPhantom, a group known for espionage against government entities in the region, but stops short of a firm connection and calls for further investigation. The campaign's careful tool integration, its use of legitimate cloud hosting from Alibaba Cloud and UCLOUD HK, and its multi month dwell time all point to a capable, intelligence driven operator. The focus on diplomatic bodies fits a wider pattern of state aligned espionage against Southeast Asian governments that IntelFusions has tracked, including a separate backdoor campaign against regional energy and government networks.

Indicators of compromise

Defenders can hunt for the following defanged indicators. GoSerpent C2 servers: 152[.]32[.]160[.]239, 8[.]220[.]194[.]108 and 103[.]138[.]13[.]30. GoSerpent sample hashes (MD5): EBFFD5A76AAA690BCDB922F82E0BACC5 and DC506FF7BB72735444FB3703A6BEE6D8. Watch for suspicious services impersonating system processes, unexpected SOCKS5 proxy activity, and password protected archives appearing in public user directories.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Detection coverage

Read the full analysis on IntelFusions