Get all your news in one place.
100's of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Dangerous new GoSerpent malware is apparently on the hunt for government secrets

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
  • Kaspersky uncovers GoSerpent, a long‑running campaign on Southeast Asian government systems using a backdoor, RAT (Stowaway), and exfiltration tool (TmcLoader)
  • Attackers showed extreme patience, waiting weeks before deploying secondary tools to evade detection and outlast log retention policies
  • Attribution remains uncertain, but overlaps with past TetrisPhantom operations; defenders are urged to review shared IoCs to detect compromise

Security researchers Kaspersky discovered a five-year-old piece of malware that’s been hiding on government computers in the Southeast Asian region, harvesting secrets and other actionable intelligence.

The company analyzed a campaign called GoSerpent, which comprises of a backdoor of the same name, a Remote Access Trojan (RAT) called Stowaway, and a two-stage data exfiltration tool called TmcLoader.

The backdoor was first used in 2021, it was said, meaning it was successfully hiding for half a decade. This was achieved, among other things, with plenty of patience and careful planning.

TetrisPhantom

“What stands out about GoSerpent is the deliberate dwell time,” Noushin Shabab, Lead Security Researcher in Kaspersky GReAT, explained.

“Usually, attackers want to move quickly once they get a foothold, but this group drops the initial backdoor and waits. They let the dust settle for weeks before deploying their secondary exfiltration tools like TmcLoader. That kind of patience is a calculated move designed to outlast standard log retention policies and automated security sweeps, making it incredibly difficult for defenders to connect the initial infection to the eventual data theft."

The researchers could not conclusively attribute this campaign to any particular threat actor but did say that it has a lot in common with older campaigns conducted by the TetrisPhantom actor, including victimology, technical capabilities, and operational methods.

Kaspersky analyzed TetrisPhantom back in 2023, when it saw the group compromising secure USB drives used to provide encryption for safe data storage. This campaign also targeted government entities in the Asia-Pacific region (APAC) but, at the time, it was a newly discovered threat actor with no overlap with other known groups.

Sign up to read this article
Read news from 100's of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.