New GoSerpent malware spies on targets in Southeast Asia for months
The malware targeted government and diplomatic entities in Southeast Asia.

Image by wk1003mike | Shutterstock
- Kaspersky found new GoSerpent malware targeting government and diplomatic entities in Southeast Asia.
- Attackers used the backdoor for months to collect files, credentials, and deleted documents from infected systems.
- The campaign hid infrastructure on legitimate cloud services, making detection harder for defenders.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Kaspersky researchers have uncovered a cyber espionage campaign using previously undocumented GoSerpent malware to target government and diplomatic entities in Southeast Asia.
GoSerpent is a remote access Trojan (RAT) that acts as a backdoor, giving hackers access to infected systems.
Researchers say earlier versions have been used against victims in Southeast Asia since 2021, but the most recent campaign began in late 2025, with a newer variant deployed in 2026.
Once installed, GoSerpent connects to hackers' servers to receive commands and install extra tools for sensitive data collection and credential dumping on the systems.
Hackers typically wait several days before downloading and executing additional malware components using the GoSerpent backdoor.
During the campaign, the malware wasn’t limited to active files – it also monitored deleted documents and stored stolen data in encrypted archives. After months of collecting files and credentials, the attackers returned with a new set of tools to exfiltrate the data in May 2026.
The infrastructure was hidden on well-known cloud services like Alibaba Cloud and UCLOUD HK. Researchers point out that the use of legitimate hosting platforms demonstrates operational security awareness, which can complicate detection.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
“The threat actor’s use of customized tools, such as the GoSerpent backdoor, Stowaway, and TmcLoader, demonstrates a high degree of technical expertise and operational planning. The integration of these tools to collect and exfiltrate sensitive data highlights the actor’s focus on long-term access and intelligence gathering,” the researchers warn.
The threat actor behind the GoSerpent campaign is not yet known, but researchers suggest a possible link with the TetrisPhantom cyber-espionage threat group due to similarities in technical capabilities and victim targeting.
The gang is known for targeting entities in the Asia-Pacific (APAC) region using trojanized versions of legitimate USB management software. They have previously exploited secure USB drives to target government computer systems in the area.