Dangerous new GoSerpent malware is apparently on the hunt for government secrets
The malware has been hiding in plain sight for half a decade, stealing all sorts of valuable secrets.
- Kaspersky uncovers GoSerpent, a long‑running campaign on Southeast Asian government systems using a backdoor, RAT (Stowaway), and exfiltration tool (TmcLoader)
- Attackers showed extreme patience, waiting weeks before deploying secondary tools to evade detection and outlast log retention policies
- Attribution remains uncertain, but overlaps with past TetrisPhantom operations; defenders are urged to review shared IoCs to detect compromise
Security researchers Kaspersky discovered a five-year-old piece of malware that’s been hiding on government computers in the Southeast Asian region, harvesting secrets and other actionable intelligence.
The company analyzed a campaign called GoSerpent, which comprises of a backdoor of the same name, a Remote Access Trojan (RAT) called Stowaway, and a two-stage data exfiltration tool called TmcLoader.
The backdoor was first used in 2021, it was said, meaning it was successfully hiding for half a decade. This was achieved, among other things, with plenty of patience and careful planning.
TetrisPhantom
“What stands out about GoSerpent is the deliberate dwell time,” Noushin Shabab, Lead Security Researcher in Kaspersky GReAT, explained.
“Usually, attackers want to move quickly once they get a foothold, but this group drops the initial backdoor and waits. They let the dust settle for weeks before deploying their secondary exfiltration tools like TmcLoader. That kind of patience is a calculated move designed to outlast standard log retention policies and automated security sweeps, making it incredibly difficult for defenders to connect the initial infection to the eventual data theft."
The researchers could not conclusively attribute this campaign to any particular threat actor but did say that it has a lot in common with older campaigns conducted by the TetrisPhantom actor, including victimology, technical capabilities, and operational methods.
Kaspersky analyzed TetrisPhantom back in 2023, when it saw the group compromising secure USB drives used to provide encryption for safe data storage. This campaign also targeted government entities in the Asia-Pacific region (APAC) but, at the time, it was a newly discovered threat actor with no overlap with other known groups.
Share
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
