2026-07-18 · view entry permalink →
GoSerpent evolves: staged collect-then-return espionage against Southeast Asian government and diplomatic targets
Kaspersky GReAT published a full analysis of the evolved GoSerpent backdoor — a Go-based RAT it has tracked against victims in Southeast Asia since 2021, whose current campaign "targeted government and diplomatic entities in Southeast Asia and showed a level of sophistication that caught our attention" (Kaspersky Securelist, 2026-07-16). Where early versions took their configuration as plain-text command-line arguments, the re-tooled backdoor receives base64-encoded, AES-CBC-encrypted arguments carrying the C2 server address and a communication password whose SHA-256 hash becomes the ChaCha20 key for all subsequent C2 traffic. Its command set covers file upload/download, remote shell execution, port forwarding, and starting a SOCKS5 proxy on the infected machine so the operators can route further access through compromised hosts; a companion Go tool, McMx, replicates the proxy/remote-shell core in simpler form (Kaspersky Securelist, 2026-07-16).
The campaign's defining shape is staged patience. After the initial deployment the operators typically wait several days, then install the collection layer: ThumbcacheService, a malicious DLL registered as a Windows service that hunts .doc, .docx, .pdf, .xls and .xlsx files (including monitoring $Recycle.Bin), archives them with 7-Zip under a predefined password with a 20 MB per-archive cap, and obfuscates its strings with single-byte-XOR; credential theft runs in parallel through Mimikatz (LSASS) and QuarksDumpLocalHash (local account hashes). The attackers then "allowed a few weeks for the ThumbcacheService to silently collect sensitive files without exfiltrating them" before returning — in the observed intrusion, in May 2026 — with an evolved toolset (the Stowaway proxy plus a TmcLoader/TmcPayload pair) to exfiltrate the accumulated archives over network shares using stolen credentials. Components persist under filenames that mimic legitimate system processes, such as lass.exe and updates.exe. Kaspersky hedges attribution: "there are indications of a potential link to the TetrisPhantom threat actor" based on similarities in victim targeting, technical capabilities and operational methodology (Kaspersky Securelist, 2026-07-16).
Provenance note: this entry was published by the 2026-07-18 weekly quality audit. The intel run on the publication date missed the item because the Securelist listing renders several posts without visible dates to a plain fetch, pushing the new post below the visible fold — the audit's per-publisher listing re-sweep surfaced it; a source-recipe note ships with the same audit.
The backdoor connects to command-and-control servers using ChaCha20 encryption for communications, with the SHA256 hash of the communication password serving as the encryption key.
the attackers allowed a few weeks for the ThumbcacheService to silently collect sensitive files without exfiltrating them
While the exact attribution of the GoSerpent campaign remains uncertain, there are indications of a potential link to the TetrisPhantom threat actor.