GoSerpent: a persistent threat evolves with sophisticated data collection and exfiltration

GoSerpent: a persistent threat evolves with sophisticated data collection and exfiltration
The GoSerpent campaign used Go-based RATs, proxy tools, and staged loaders to target government and diplomatic entities in Southeast Asia for long-term access, credential theft, and sensitive data exfiltration. In 2026, the threat actors evolved from GoSerpent and McMx to Stowaway and TmcLoader/TmcPayload, with the activity potentially linked to TetrisPhantom. #GoSerpent #Stowaway #TetrisPhantom #McMx #ThumbcacheService #TmcLoader #TmcPayload

Keypoints

  • The campaign has been active since late 2025 and targeted government and diplomatic entities in Southeast Asia.
  • GoSerpent is the primary Go-based backdoor, using encrypted command-line arguments and ChaCha20-based C2 communications.
  • The attackers used GoSerpent to deploy ThumbcacheService for file collection and credential dumping tools such as Mimikatz and QuarksDumpLocalHash.
  • ThumbcacheService collected documents, archived them with 7-Zip, and stored them in thumbcache_605a.db for later theft.
  • In May 2026, the threat actor returned with Stowaway and the TmcLoader/TmcPayload chain to exfiltrate the collected data through network shares.
  • The infrastructure relied on legitimate cloud providers and domain names as secret keys, increasing operational stealth.
  • The activity shows deliberate tool integration and may be linked to the TetrisPhantom threat actor.

MITRE Techniques

  • [T1090 ] Proxy – Used GoSerpent, McMx, and Stowaway to route traffic through compromised hosts and create chained proxy paths (‘establish SOCKS5 proxy servers to route traffic through compromised hosts’, ‘proxy and remote access tool’).
  • [T1090.001 ] Internal Proxy – GoSerpent could start a SOCKS5 proxy on infected machines and forward traffic to other nodes (‘Start a SOCKS5 proxy on the infected machine’, ‘Forward to a connected node’).
  • [T1021.001 ] Remote Services: RDP – Not explicitly named as RDP, but remote shell and remote access functionality enabled interactive remote control over infected hosts (‘Create a shell on the infected machine’, ‘remote access tool’).
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Attackers manipulated batch files and used echo commands to generate configuration files (‘manipulate batch files’, ‘use echo commands to create configuration files’).
  • [T1105 ] Ingress Tool Transfer – GoSerpent and Stowaway were used to download and deploy additional malicious tools (‘download and execute additional malware components’, ‘deliver two files to the victim machine’).
  • [T1005 ] Data from Local System – ThumbcacheService collected sensitive local documents and stored them for later exfiltration (‘collect sensitive files’, ‘store them for future exfiltration’).
  • [T1074.001 ] Data Staged: Local Data Staging – Collected files were archived into thumbcache_605a.db and held for later theft (‘store them for future exfiltration’, ‘archived using 7-Zip’).
  • [T1560.001 ] Archive Collected Data: Archive via Utility – ThumbcacheService used 7-Zip to compress stolen documents (‘The targeted files are then archived using 7-Zip’).
  • [T1003.001 ] OS Credential Dumping: LSASS Memory – Mimikatz dumped LSASS memory to obtain cached credentials and Kerberos tickets (‘dumps memory from the LSASS process’).
  • [T1003.002 ] OS Credential Dumping: Security Account Manager – QuarksDumpLocalHash extracted password hashes from the SAM hive (‘extracts local account password hashes from the SAM registry hive’).
  • [T1027 ] Obfuscated Files or Information – Multiple components used encryption and obfuscation for strings, configs, and arguments (‘encrypted and base64-encoded command-line arguments’, ‘XOR encryption for string obfuscation’).
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – The malware used legitimate-looking filenames and stealthy service registration to evade detection (‘filenames that mimic legitimate system processes’, ‘registered as a Windows service’).
  • [T1543.003 ] Create or Modify System Process: Windows Service – ThumbcacheService and TmcLoader were deployed as Windows services (‘deployed as a Windows service’, ‘registered as a Windows service’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Stowaway communicated over HTTP and WebSocket channels (‘Communications are transported over TCP, HTTP, or WebSocket channels’).
  • [T1071.004 ] Application Layer Protocol: DNS – No DNS abuse was explicitly described; not included.
  • [T1041 ] Exfiltration Over C2 Channel – TmcPayload exfiltrated data using configured network-share credentials and destination paths (‘transfers the exact same thumbcache_605a.db’).
  • [T1021.002 ] Remote Services: SMB/Windows Admin Shares – The final exfiltration relied on network shared drives and network-share credentials (‘exfiltration through network shared drives’, ‘network share credentials and destination paths’).
  • [T1106 ] Native API – TmcLoader used dynamic API resolution to hide API names (‘dynamic API resolution’).

Indicators of Compromise

  • malware sample hashes – GoSerpent: EBFFD5A76AAA690BCDB922F82E0BACC5DC506FF7BB72735444FB3703A6BEE6D8, McMx: D6E86BF8A90E9B632ADD5FA495F97FBC, and 3 more hashes
  • C2 infrastructure – 152.32.160[.]239, 8.220.194[.]108, and 10 more IPs
  • staged data and payloads – thumbcache_605a.db, {BBF061R2-BE25-4F6D-8B2D-1A6A39C3FSA2}.db, and other related service/configuration files
  • secret-key or infrastructure domains – www.microsoft.com, www.spacex.com, and github.code
  • deployed tools and modules – GoSerpent, McMx, ThumbcacheService, Stowaway, TmcLoader, TmcPayload, Mimikatz, and QuarksDumpLocalHash


Read more: https://securelist.com/goserpent-backdoor-in-southeast-asia/120687/