Back to Feed
MalwareJul 16, 2026

GoSerpent: a persistent threat evolves with sophisticated data collection and exfiltration

GoSerpent backdoor targets SE Asian governments with multi-stage attacks using RATs and credential dumping tools

Summary

Researchers discovered a sophisticated two-phase attack campaign using the GoSerpent backdoor, targeting government and diplomatic entities in Southeast Asia since late 2025. The malware, a Go-based RAT with encryption and SOCKS5 proxy capabilities, deploys secondary tools including Stowaway RAT, ThumbcacheService for data collection, and credential dumping utilities for sensitive file exfiltration. The threat actor evolved their toolset by May 2026 with enhanced stealth capabilities while maintaining backward compatibility with earlier, simpler variants dating back to 2021.

Full text

Table of Contents IntroductionTechnical detailsInitial phase of the attacksGoSerpent backdoorMcMx RATData collection and credential dumping toolsThumbcacheServiceCredential dumping toolsSecond stage of the attacksStowawayTmcLoader/TmcPayloadToolset integrationInfrastructureAttributionConclusionIndicators of compromiseFile hashesC2 IP addresses Authors Noushin Shabab Introduction In February 2026 we discovered a set of malicious activities that have been ongoing since late 2025. These activities involved a RAT module written in Go with proxy capabilities, serving as the main stage of the attack. The attack targeted government and diplomatic entities in Southeast Asia and showed a level of sophistication which caught our attention. During the attack, the main malware, dubbed GoSerpent, received an encrypted argument and started communication with a remote server. It was also used to deploy further malicious tools for sensitive data collection and credential dumping on the system. Monitoring the activities of this threat actor revealed that in May 2026 they came back with an evolved set of malicious tools: new Stowaway RAT and proxy tool which resembled the initial malware as well as an additional stealthy tool to exfiltrate sensitive data collected for the previous few months through network share. We found earlier versions of the GoSerpent backdoor used since 2021 against victims in Southeast Asia with a relatively simpler code that received command-line arguments in plain text. Even though the newer variant is stealthier, the attackers continued using the simpler version alongside the latest one in their recent attacks. What makes this threat particularly concerning is the strategic deployment of various tools with sophisticated data collection and exfiltration capabilities. In this article we introduce the malicious tools uncovered by us which are used since late 2025. Technical details Initial phase of the attacks The initial phase of the attacks involved deployment of the GoSerpent backdoor and subsequent deployment of additional malicious tools. During this phase, the main goal was to collect sensitive files and store them for future exfiltration which was done by a data collecting tool, ThumbcacheService. The attackers also needed system credentials for the collected data exfiltration through network shared drives at a later stage. This was achieved by a number of credential dumping tools deployed in this phase via the GoSerpent backdoor. GoSerpent backdoor The primary weapon in this campaign is the GoSerpent backdoor, a sophisticated Go-based remote access Trojan that has been active since at least 2021, with the most recent variant deployed in 2026. This malware receives encrypted and base64-encoded command-line arguments containing the C2 server address and communication password, which are decrypted using AES-CBC mode with a fixed IV (31323334353637383930616263646566) and keys derived from predefined strings. The backdoor connects to command-and-control servers using ChaCha20 encryption for communications, with the SHA256 hash of the communication password serving as the encryption key. GoSerpent supports multiple C2 commands by receiving special command values. The commands include the following: Command Symbol (as derived from corresponding function names) Description 2BA1 Sync Respond to the server to show the infection is active 3BA2 Exit Exit process 4BA3 Ls Start listening on a port 5BA4 Connect Connect to a remote server 6BA5 Hello Create a shell on the infected machine 7BA6 Ul Upload a file or directory to the server 8BA7 Dl Download from the server 9BA8 Ss5 Start a SOCKS5 proxy on the infected machine ABA9 Cl Close a listening port CBAB RF Forward to a connected node GoSerpent can establish SOCKS5 proxy servers to route traffic through compromised hosts, enabling attackers to access other networks while masking their true IP addresses. The backdoor is capable of deploying additional malicious tools including ThumbcacheService for file collection, Mimikatz for credential dumping, and QuarksDumpLocalHash for local account password hash extraction. The malware exhibits strong persistence mechanisms and uses filenames that mimic legitimate system processes such as lass.exe and updates.exe to evade detection. McMx RAT McMx is a basic Go-based proxy and remote access tool that represents a simpler variant of the GoSerpent backdoor, appearing to be compiled from a different GitHub repository path. Unlike the latest variant of GoSerpent that uses encrypted command-line arguments, McMx receives input parameters from text files in plain text format, resembling older versions of GoSerpent. The malware features similar function names with apparent typos present in both tools. Before executing McMx, attackers manipulate batch files to generate configuration files containing C2 parameters. The patterns observed show the use of echo commands to create configuration files with parameters like remote host addresses, ports, and secret keys. The McMx malware is then deployed with this configuration. The tool shares core functionalities with GoSerpent including: SOCKS5 proxying port forwarding file transfer remote shell capabilities Data collection and credential dumping tools Following initial deployment of the GoSerpent backdoor, attackers typically wait several days before utilizing it to download and execute additional malware components for data collection and credential dumping. ThumbcacheService ThumbcacheService is a malicious DLL deployed as a Windows service that functions as a sophisticated file collection mechanism within the GoSerpent ecosystem. The malware employs XOR encryption with a single-byte key of 0x13 for string obfuscation. It decrypts embedded strings and creates a database file named thumbcache_605a.db in the C:\Users\Public\ directory to store collected sensitive files. It specifically targets documents with the following extensions: .doc, .docx, .pdf, .xls and .xlsx. The targeted files are then archived using 7-Zip and protected with a predefined password of @vx0a9n5W2M0c3D6.#, enforcing a 20MB size limit for archives. The malicious service also monitors the $Recycle.Bin directory for deleted files with the extensions of interest, ensuring comprehensive data collection. Credential dumping tools The threat actor deploys the following tools via GoSerpent backdoor to dump credentials: Mimikatz — dumps memory from the LSASS process to extract credential material, including cached credentials and Kerberos tickets. QuarksDumpLocalHash — extracts local account password hashes from the SAM registry hive, allowing for offline password cracking attacks. These tools work together to maximize information extraction from compromised systems. The stolen credentials were used in later stages of the attack to facilitate the exfiltration of sensitive files collected by ThumbcacheService. Second stage of the attacks After the initial phase of the malware deployments, the attackers allowed a few weeks for the ThumbcacheService to silently collect sensitive files without exfiltrating them. In the meantime, the credential dumping tools also continued to steal credentials. In May 2026, the threat actor came back with a set of new tools. The main malware of this round of activities was another Go-based RAT and proxy tool, Stowaway. It was then used to deploy the two-stage data exfiltration tool TmcLoader/TmcPayload which was the last piece of the data theft puzzle. Stowaway Stowaway is a proxy and remote access tool compiled from an open-source framework with customized functions to make the infection more stealthy. This malware features both network admin and agent capabilities enabling attackers to establish chained proxy paths across multiple hosts with the following functionalities: SOCKS5 proxying port forwarding reverse tunneling remote shell access file transfer SSH-based tunneling Communications are transported over TCP, HTTP, or WebSocke

Indicators of Compromise

  • malware — GoSerpent
  • malware — Stowaway RAT
  • malware — ThumbcacheService
  • malware — TmcLoader/TmcPayload
  • malware — McMx RAT

Entities

GoSerpent Campaign (campaign)ChaCha20 encryption (technology)