The GoSerpent campaign used Go-based RATs, proxy tools, and staged loaders to target government and diplomatic entities in Southeast Asia for long-term access, credential theft, and sensitive data exfiltration. In 2026, the threat actors evolved from GoSerpent and McMx to Stowaway and TmcLoader/TmcPayload, with the activity potentially linked to TetrisPhantom. #GoSerpent #Stowaway #TetrisPhantom #McMx #ThumbcacheService #TmcLoader #TmcPayload
Keypoints
- The campaign has been active since late 2025 and targeted government and diplomatic entities in Southeast Asia.
- GoSerpent is the primary Go-based backdoor, using encrypted command-line arguments and ChaCha20-based C2 communications.
- The attackers used GoSerpent to deploy ThumbcacheService for file collection and credential dumping tools such as Mimikatz and QuarksDumpLocalHash.
- ThumbcacheService collected documents, archived them with 7-Zip, and stored them in thumbcache_605a.db for later theft.
- In May 2026, the threat actor returned with Stowaway and the TmcLoader/TmcPayload chain to exfiltrate the collected data through network shares.
- The infrastructure relied on legitimate cloud providers and domain names as secret keys, increasing operational stealth.
- The activity shows deliberate tool integration and may be linked to the TetrisPhantom threat actor.
MITRE Techniques
- [T1090 ] Proxy â Used GoSerpent, McMx, and Stowaway to route traffic through compromised hosts and create chained proxy paths (âestablish SOCKS5 proxy servers to route traffic through compromised hostsâ, âproxy and remote access toolâ).
- [T1090.001 ] Internal Proxy â GoSerpent could start a SOCKS5 proxy on infected machines and forward traffic to other nodes (âStart a SOCKS5 proxy on the infected machineâ, âForward to a connected nodeâ).
- [T1021.001 ] Remote Services: RDP â Not explicitly named as RDP, but remote shell and remote access functionality enabled interactive remote control over infected hosts (âCreate a shell on the infected machineâ, âremote access toolâ).
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell â Attackers manipulated batch files and used echo commands to generate configuration files (âmanipulate batch filesâ, âuse echo commands to create configuration filesâ).
- [T1105 ] Ingress Tool Transfer â GoSerpent and Stowaway were used to download and deploy additional malicious tools (âdownload and execute additional malware componentsâ, âdeliver two files to the victim machineâ).
- [T1005 ] Data from Local System â ThumbcacheService collected sensitive local documents and stored them for later exfiltration (âcollect sensitive filesâ, âstore them for future exfiltrationâ).
- [T1074.001 ] Data Staged: Local Data Staging â Collected files were archived into thumbcache_605a.db and held for later theft (âstore them for future exfiltrationâ, âarchived using 7-Zipâ).
- [T1560.001 ] Archive Collected Data: Archive via Utility â ThumbcacheService used 7-Zip to compress stolen documents (âThe targeted files are then archived using 7-Zipâ).
- [T1003.001 ] OS Credential Dumping: LSASS Memory â Mimikatz dumped LSASS memory to obtain cached credentials and Kerberos tickets (âdumps memory from the LSASS processâ).
- [T1003.002 ] OS Credential Dumping: Security Account Manager â QuarksDumpLocalHash extracted password hashes from the SAM hive (âextracts local account password hashes from the SAM registry hiveâ).
- [T1027 ] Obfuscated Files or Information â Multiple components used encryption and obfuscation for strings, configs, and arguments (âencrypted and base64-encoded command-line argumentsâ, âXOR encryption for string obfuscationâ).
- [T1562.001 ] Impair Defenses: Disable or Modify Tools â The malware used legitimate-looking filenames and stealthy service registration to evade detection (âfilenames that mimic legitimate system processesâ, âregistered as a Windows serviceâ).
- [T1543.003 ] Create or Modify System Process: Windows Service â ThumbcacheService and TmcLoader were deployed as Windows services (âdeployed as a Windows serviceâ, âregistered as a Windows serviceâ).
- [T1071.001 ] Application Layer Protocol: Web Protocols â Stowaway communicated over HTTP and WebSocket channels (âCommunications are transported over TCP, HTTP, or WebSocket channelsâ).
- [T1071.004 ] Application Layer Protocol: DNS â No DNS abuse was explicitly described; not included.
- [T1041 ] Exfiltration Over C2 Channel â TmcPayload exfiltrated data using configured network-share credentials and destination paths (âtransfers the exact same thumbcache_605a.dbâ).
- [T1021.002 ] Remote Services: SMB/Windows Admin Shares â The final exfiltration relied on network shared drives and network-share credentials (âexfiltration through network shared drivesâ, ânetwork share credentials and destination pathsâ).
- [T1106 ] Native API â TmcLoader used dynamic API resolution to hide API names (âdynamic API resolutionâ).
Indicators of Compromise
- malware sample hashes â GoSerpent: EBFFD5A76AAA690BCDB922F82E0BACC5DC506FF7BB72735444FB3703A6BEE6D8, McMx: D6E86BF8A90E9B632ADD5FA495F97FBC, and 3 more hashes
- C2 infrastructure â 152.32.160[.]239, 8.220.194[.]108, and 10 more IPs
- staged data and payloads â thumbcache_605a.db, {BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}.db, and other related service/configuration files
- secret-key or infrastructure domains â www.microsoft.com, www.spacex.com, and github.code
- deployed tools and modules â GoSerpent, McMx, ThumbcacheService, Stowaway, TmcLoader, TmcPayload, Mimikatz, and QuarksDumpLocalHash
Read more: https://securelist.com/goserpent-backdoor-in-southeast-asia/120687/