Dangerous new GoSerpent malware is apparently on the hunt for government secrets
GoSerpent malware has been hiding in plain sight for half a decade
- Kaspersky uncovers GoSerpent, a long‑running campaign on Southeast Asian government systems using a backdoor, RAT (Stowaway), and exfiltration tool (TmcLoader)
- Attackers showed extreme patience, waiting weeks before deploying secondary tools to evade detection and outlast log retention policies
- Attribution remains uncertain, but overlaps with past TetrisPhantom operations; defenders are urged to review shared IoCs to detect compromise
Security researchers Kaspersky discovered a five-year-old piece of malware that’s been hiding on government computers in the Southeast Asian region, harvesting secrets and other actionable intelligence.
The company analyzed a campaign called GoSerpent, which comprises of a backdoor of the same name, a Remote Access Trojan (RAT) called Stowaway, and a two-stage data exfiltration tool called TmcLoader.
The backdoor was first used in 2021, it was said, meaning it was successfully hiding for half a decade. This was achieved, among other things, with plenty of patience and careful planning.
TetrisPhantom
“What stands out about GoSerpent is the deliberate dwell time,” Noushin Shabab, Lead Security Researcher in Kaspersky GReAT, explained.
“Usually, attackers want to move quickly once they get a foothold, but this group drops the initial backdoor and waits. They let the dust settle for weeks before deploying their secondary exfiltration tools like TmcLoader. That kind of patience is a calculated move designed to outlast standard log retention policies and automated security sweeps, making it incredibly difficult for defenders to connect the initial infection to the eventual data theft."
The researchers could not conclusively attribute this campaign to any particular threat actor but did say that it has a lot in common with older campaigns conducted by the TetrisPhantom actor, including victimology, technical capabilities, and operational methods.
Kaspersky analyzed TetrisPhantom back in 2023, when it saw the group compromising secure USB drives used to provide encryption for safe data storage. This campaign also targeted government entities in the Asia-Pacific region (APAC) but, at the time, it was a newly discovered threat actor with no overlap with other known groups.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.