ctipilot.ch
← Back to the live brief
NOTABLENATOB2threat

GoSerpent evolves: staged collect-then-return espionage against Southeast Asian government and diplomatic targets

discovered 2026-07-18 13:05 UTCrun 2026-07-18T1208Z-audit1 sourcesingle-source

Kaspersky GReAT published a full analysis of the evolved GoSerpent backdoor — a Go-based RAT it has tracked against victims in Southeast Asia since 2021, whose current campaign "targeted government and diplomatic entities in Southeast Asia and showed a level of sophistication that caught our attention" (Kaspersky Securelist, 2026-07-16). Where early versions took their configuration as plain-text command-line arguments, the re-tooled backdoor receives base64-encoded, AES-CBC-encrypted arguments carrying the C2 server address and a communication password whose SHA-256 hash becomes the ChaCha20 key for all subsequent C2 traffic. Its command set covers file upload/download, remote shell execution, port forwarding, and starting a SOCKS5 proxy on the infected machine so the operators can route further access through compromised hosts; a companion Go tool, McMx, replicates the proxy/remote-shell core in simpler form (Kaspersky Securelist, 2026-07-16).

The campaign's defining shape is staged patience. After the initial deployment the operators typically wait several days, then install the collection layer: ThumbcacheService, a malicious DLL registered as a Windows service that hunts .doc, .docx, .pdf, .xls and .xlsx files (including monitoring $Recycle.Bin), archives them with 7-Zip under a predefined password with a 20 MB per-archive cap, and obfuscates its strings with single-byte-XOR; credential theft runs in parallel through Mimikatz (LSASS) and QuarksDumpLocalHash (local account hashes). The attackers then "allowed a few weeks for the ThumbcacheService to silently collect sensitive files without exfiltrating them" before returning — in the observed intrusion, in May 2026 — with an evolved toolset (the Stowaway proxy plus a TmcLoader/TmcPayload pair) to exfiltrate the accumulated archives over network shares using stolen credentials. Components persist under filenames that mimic legitimate system processes, such as lass.exe and updates.exe. Kaspersky hedges attribution: "there are indications of a potential link to the TetrisPhantom threat actor" based on similarities in victim targeting, technical capabilities and operational methodology (Kaspersky Securelist, 2026-07-16).

Provenance note: this entry was published by the 2026-07-18 weekly quality audit. The intel run on the publication date missed the item because the Securelist listing renders several posts without visible dates to a plain fetch, pushing the new post below the visible fold — the audit's per-publisher listing re-sweep surfaced it; a source-recipe note ships with the same audit.

The backdoor connects to command-and-control servers using ChaCha20 encryption for communications, with the SHA256 hash of the communication password serving as the encryption key.

the attackers allowed a few weeks for the ThumbcacheService to silently collect sensitive files without exfiltrating them

While the exact attribution of the GoSerpent campaign remains uncertain, there are indications of a potential link to the TetrisPhantom threat actor.

Kaspersky Securelist 2026-07-16

ATT&CK mapping

11 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Execution TA0002
T1059Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1543.003Create or Modify System Process: Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1543.003Create or Modify System Process: Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1027Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

overlap matrix · ATT&CK page ↗

T1036.005Masquerading: Match Legitimate Resource Name or Location

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1003.001OS Credential Dumping: LSASS Memory

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

overlap matrix · ATT&CK page ↗

T1003.002OS Credential Dumping: Security Account Manager

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.

overlap matrix · ATT&CK page ↗

Collection TA0009
T1005Data from Local System

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

overlap matrix · ATT&CK page ↗

T1560.001Archive Collected Data: Archive via Utility

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1090.001Proxy: Internal Proxy

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

overlap matrix · ATT&CK page ↗

T1090.002Proxy: External Proxy

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.

overlap matrix · ATT&CK page ↗

T1573.001Encrypted Channel: Symmetric Cryptography

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.