• 2 min read
GoSerpent Malware Targets Southeast Asian Governments
Kaspersky uncovered GoSerpent, a malware campaign targeting Southeast Asian government systems with delayed data theft and links to TetrisPhantom.

Image: TechRadar
Kaspersky has uncovered a long-running malware campaign targeting government systems in Southeast Asia. Dubbed GoSerpent, the operation uses a backdoor, the Stowaway remote access trojan (RAT), and TmcLoader, a two-stage tool for stealing data.
The GoSerpent backdoor was first used in 2021, according to Kaspersky, and remained hidden for years. Its operators relied on unusually long delays between the initial compromise and the deployment of additional tools.
GoSerpent’s delayed data theft
Noushin Shabab, lead security researcher at Kaspersky GReAT, said the campaign’s extended dwell time was central to its success.
“What stands out about GoSerpent is the deliberate dwell time. Usually, attackers want to move quickly once they get a foothold, but this group drops the initial backdoor and waits. They let the dust settle for weeks before deploying their secondary exfiltration tools like TmcLoader. That kind of patience is a calculated move designed to outlast standard log retention policies and automated security sweeps, making it incredibly difficult for defenders to connect the initial infection to the eventual data theft.”
Waiting weeks before launching the secondary tools can make it harder for defenders to link the original infection with the eventual theft of sensitive information. It may also allow the attackers to outlast standard log-retention periods and automated security checks.
Kaspersky could not conclusively attribute GoSerpent to a specific threat actor. However, researchers found similarities with TetrisPhantom, including the targeted victims, technical capabilities, and operating methods.

Recommended reading
Florida man charged over Steam game crypto malware
Kaspersky examined TetrisPhantom in 2023, when the group was seen compromising secure USB drives used to provide encryption for protected data storage. That campaign also targeted government organizations in the Asia-Pacific region, although TetrisPhantom was then considered a newly identified actor with no confirmed links to other groups.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via TechRadar


