- Kaspersky uncovers GoSerpent, a long-running campaign on Southeast Asian government systems using a backdoor, RAT (Stowaway) and exfiltration tool (TmcLoader)
- The attackers were extremely patient, waiting weeks before deploying secondary tools to evade detection and survive log retention policies.
- Attribution remains uncertain, but overlaps with past TetrisPhantom operations; defenders are advised to review shared IoCs for compromise
Security researchers Kaspersky have discovered five-year-old malware lurking on government computers in the Southeast Asian region, harvesting secrets and other exploitable intelligence.
The company analyzed a campaign called GoSerpent, which includes a backdoor of the same name, a remote access Trojan (RAT) called Stowaway, and a two-step data exfiltration tool called TmcLoader.
The backdoor was first used in 2021, it was said, meaning it managed to hide for half a decade. This was achieved, among other things, with a lot of patience and careful planning.
TetrisGhost
“What stands out about GoSerpent is the deliberate downtime,” explained Noushin Shabab, senior security researcher at Kaspersky GReAT.
“Usually, attackers want to move quickly once they gain a foothold, but this group abandons the initial backdoor and waits. They let the dust settle for weeks before deploying their secondary exfiltration tools like TmcLoader. This type of patience is a calculated move designed to outlast standard log retention policies and automated security sweeps, making it incredibly difficult for defenders to connect the initial infection to eventual data theft.”
Researchers could not conclusively attribute this campaign to any particular threat actor, but said it had many similarities with older campaigns led by the TetrisPhantom actor, including in terms of victimology, technical capabilities, and operational methods.
Kaspersky analyzed TetrisPhantom in 2023, when it saw the group compromising secure USB drives used to provide encryption for secure data storage. This campaign also targeted government entities in the Asia-Pacific (APAC) region, but, at the time, it was a newly discovered threat actor with no overlap with other known groups.

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




