Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

GoSerpent: Go RAT hits APAC gov, TetrisPhantom overlap

Kaspersky documents GoSerpent, a Go-based RAT hitting Southeast Asian government and diplomatic entities since late 2025. Operational overlap with TetrisPhantom.

GoSerpent: Go RAT hits APAC gov, TetrisPhantom overlap
Image: 0dayNews / 0dayNews Editorial · All rights reserved
airgap airgap · Published · 5 min read

Confirmed: Kaspersky’s Noushin Shabab published today, 2026-07-17, a writeup of GoSerpent, a previously undocumented Go-based implant Kaspersky uncovered in February 2026 and traces to a campaign active against Southeast Asian government and diplomatic entities since late 2025. Earlier iterations of the Go implant and its companion RAT are attested back to 2021. Confidence on the tooling, targeting, and timeline: as-reported by Kaspersky.

Attribution is not committed. Kaspersky ties GoSerpent to TetrisPhantom — an APAC-focused actor documented since October 2023 — on the basis of “targeting, technical capabilities, and operational overlaps.” That is an overlap claim, not a same-actor claim. Unconfirmed as an identity — treat accordingly.

Targeting and window

  • Since late 2025, per Kaspersky, with the current toolchain observed as of May 2026.
  • Southeast Asia, focused on government and diplomatic entities.
  • Bangladesh’s military and defense establishments named separately as targets of the DoNot Team, a related but distinct APAC campaign referenced in the same disclosure — not attributed to GoSerpent operators.
  • Victim count: not disclosed.
  • Named victims: none.

That the toolchain has run since late 2025 without a public writeup before today is the operational point. Everything below explains part of why.

The toolchain, as-reported

Kaspersky documents a modular stack, not a single implant:

  • GoSerpent — the Go-based implant. Receives its C2 configuration as encrypted, Base64-encoded command-line arguments, connects over an encrypted channel keyed by a SHA256 password hash, and supports shell spawning, file transfer, SOCKS5 proxy, port listening, and remote connections. Not a stealer — a foothold.
  • McMx RAT — a lightweight Go-based proxy/RAT variant. Kaspersky treats it as a sibling to GoSerpent in the same operator toolbox, not as an unrelated family.
  • Stowaway — an off-the-shelf open-source proxy tool with SOCKS5 and SSH-tunneling features. Used as-is by the operator; the significance is the lateral-movement posture, not the tool itself.
  • ThumbcacheService — a DLL for file collection, not an execution stage.
  • TmcLoader / TmcPayload — a C++ loader/payload pair used for staged data exfiltration.
  • Mimikatz and QuarksDumpLocalHash — commodity credential-dumping tools. Off-the-shelf. Standard.

The mix — bespoke Go implant plus off-the-shelf proxy plus commodity credential tools plus a purpose-built collector — is the same operational shape Kaspersky documented against ToddyCat’s Umbrij Gmail-OAuth pull earlier this month and against Armored Likho’s BusySnake campaign in the power sector. Different actors, different regions, same “one novel piece plus a lot of quiet plumbing” build.

Delivery — spear-phish with geofenced macro

Delivery, at the class level and no further:

  • Spear-phishing email carrying an RTF document.
  • The RTF uses remote template injection to pull down a VBA macro — a class of technique Microsoft has spent years discouraging and that continues to work anyway on target-selected recipients.
  • Geofencing on the payload delivery. Requests from outside the operator’s target geography do not receive the macro payload. That is why sandbox pickup on the RTF alone reads clean — the interesting stage never lands.

Reproducing the RTF structure or the macro is not in scope for this piece; readers who need it can find Kaspersky’s technical writeup through the linked source. The point for defenders is upstream of the specific technique: RTF attachments from unexpected senders, targeting diplomatic or government mailboxes, with template-fetch behavior toward external hosts is the observable, and it is still under-alerted in most mail-security baselines that stopped at “block macros in Office documents.”

Persistence and evasion, as-reported

  • Scheduled-task persistence disguised as OneDrive telemetry. The task name mimics a legitimate Microsoft service. On a workstation with a real OneDrive install, the fake task sits next to the real ones and reads as normal to the eye.
  • XOR-encoded shellcode stages. Standard for this tier of operator.
  • LSASS process access for credential dumping — via Mimikatz and QuarksDumpLocalHash.
  • Data staged on internal network shares before exfiltration. Not exfil-in-flight per-file; batched.

The scheduled-task masquerade is the tell most likely to matter operationally. It is quiet on visual review and loud on a task-inventory diff against a known-clean baseline. The credential dumping and the SMB-staged exfil are commodity behaviors — they will fire under any EDR that alerts on LSASS access or unusual authenticated SMB writes, which is to say, most of them.

What is not confirmed

  • Attribution. Overlap with TetrisPhantom is claimed on targeting/technique grounds. A same-actor identification is not. Unconfirmed — treat accordingly.
  • Full victim list. Not stated.
  • Whether the toolchain enumerated above is complete. Kaspersky’s writeup lists the components observed; there is no claim it is exhaustive. Unconfirmed.
  • Any state-alignment claim. Not made. TetrisPhantom itself is not tied to a named government by Kaspersky in the reference disclosure.
  • File hashes and full IOCs. Kaspersky’s technical writeup carries them. This piece does not reproduce them.

What this argues on the defensive side

  • RTF with remote template injection, from unexpected senders, into diplomatic or government mailboxes — the class-level observable to alert on, ahead of specific payload signatures. The geofence means signature-based pickup on the macro itself will lag.
  • Scheduled tasks masquerading as OneDrive telemetry. Diff against a known-good baseline; the fake tasks name themselves close to the real ones on purpose.
  • LSASS access from processes that have no business there on a general-user workstation. Standard EDR alert; make sure it is actually tuned to fire on a diplomatic-mailbox workstation and not silenced by a helpdesk-tool exception.
  • SMB-staged exfil — unusual authenticated SMB writes to network shares from a user endpoint, especially followed by egress to an external host of a similar volume, is the pattern to look for. Batched exfil bypasses per-file DLP that never sees the aggregate.
  • Analyst-VM hostnames and geographic egress. If your sandbox appliance detonates from outside the operator’s target geography, the geofence will strip the macro and the RTF will read clean. Detonate from a target-plausible egress if the detonation matters.

Track further Kaspersky-attributed APAC campaigns and related threat-intel writeups at /topics/threat-intel/.

Sources

Confidence on the tooling and TTPs above: as-reported by Kaspersky. Attribution: overlap with TetrisPhantom, on Kaspersky’s targeting/technique reading — not a same-actor identification. Victim scope and IOC completeness: unconfirmed — treat accordingly.

Found this useful? Share it.