GoSerpent Backdoor Evolves with Advanced Data Collection and Exfiltration for Southeast Asian Targets
The GoSerpent backdoor, active since 2021, has been updated with sophisticated data collection and exfiltration capabilities, continuing to target government and diplomatic entities in Southeast Asia.

A sophisticated Go-based backdoor, dubbed GoSerpent, has been observed evolving its capabilities to enhance data collection and exfiltration, continuing its targeted attacks against government and diplomatic entities in Southeast Asia. First identified as active since at least 2021, recent activity in early 2026 revealed a more advanced iteration of the malware, alongside a simpler, older variant that attackers continue to deploy.
The GoSerpent backdoor serves as the primary stage for these attacks. Its latest variant receives encrypted and base64-encoded command-line arguments, which include the command-and-control (C2) server address and a communication password. These arguments are decrypted using AES-CBC with a fixed initialization vector and keys derived from predefined strings. Communication with C2 servers is further secured using ChaCha20 encryption, with the SHA256 hash of the communication password acting as the encryption key. This sophisticated encryption protects the integrity and confidentiality of the attacker's commands and the data transmitted.
GoSerpent supports a range of C2 commands, enabling attackers to remotely manage compromised systems. These commands allow for synchronization to signal an active infection, process termination, port listening, remote server connections, shell creation, file uploads and downloads, and the establishment of SOCKS5 proxy servers. The SOCKS5 proxy capability is particularly noteworthy, as it allows attackers to route traffic through compromised hosts, effectively masking their true origin IP addresses and enabling access to other networks while maintaining a lower profile.
Beyond its core backdoor functionalities, GoSerpent is instrumental in deploying additional malicious tools. These include ThumbcacheService, a data collection tool designed to gather sensitive files, and credential dumping utilities such as Mimikatz and QuarksDumpLocalHash, which aim to extract user credentials and local account password hashes. The malware also employs robust persistence mechanisms, often disguising its process names with those that mimic legitimate system processes like lass.exe and updates.exe to evade detection by security software.
Alongside the advanced GoSerpent variant, attackers are also deploying a simpler Go-based tool named McMx RAT. This tool functions as a basic proxy and remote access tool, appearing to be derived from a different codebase but sharing core functionalities with GoSerpent, including SOCKS5 proxying, port forwarding, file transfer, and remote shell capabilities. Unlike the newer GoSerpent variant, McMx receives its configuration parameters, such as C2 server addresses and secret keys, in plain text format via configuration files generated by batch scripts, indicating a continued use of simpler, older techniques alongside more advanced ones.
The data collection process is handled by ThumbcacheService, a malicious DLL deployed as a Windows service. This tool employs XOR encryption for string obfuscation and stores collected sensitive files in a database file named thumbcache_605a.db located in C:\Users\Public\. It specifically targets documents with common extensions like .doc, .docx, .pdf, .xls, and .xlsx. The collected files are then archived using 7-Zip with a predefined password and a 20MB size limit. Notably, ThumbcacheService also monitors the $Recycle.Bin directory for deleted files, ensuring a comprehensive sweep of potentially valuable data.
The overall campaign targets government and diplomatic entities, suggesting a focus on espionage and intelligence gathering. The combination of a persistent backdoor, advanced C2 communication, proxying capabilities, and sophisticated data collection and exfiltration tools highlights the threat actor's dedication to maintaining long-term access and extracting valuable information. The continued use of both older and newer malware variants suggests a pragmatic approach to operations, potentially leveraging the simpler tools for initial access or in environments where more advanced tools might be detected.
The evolution of GoSerpent underscores a broader trend in sophisticated cyber threats, where malware is continuously updated with enhanced evasion, collection, and exfiltration techniques. The targeting of critical government and diplomatic infrastructure in Southeast Asia positions this campaign as a significant concern for regional cybersecurity. Further analysis is ongoing to attribute these activities to specific threat actor groups and to understand the full scope of their objectives.