Full Report
Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering. Russian cybersecurity company Kaspersky, which uncovered the activity in February 2026, said it was aimed at government and diplomatic entities in
Analysis Summary
# Tool/Technique: GoSerpent
## Overview
GoSerpent is a recently discovered, sophisticated malware written in the Go (Golang) programming language. It is designed for targeted cyber espionage operations, specifically focusing on government and diplomatic entities in Southeast Asia. Its primary objectives include maintaining persistent long-term access to compromised networks and conducting covert intelligence gathering.
## Technical Details
- **Type:** Malware Family (Backdoor / Info-stealer)
- **Platform:** Windows (Cross-platform potential due to Go implementation)
- **Capabilities:** Persistence, Intelligence Gathering, C2 Communication, System Reconnaissance
- **First Seen:** Late 2025 (Publicly disclosed February 2026)
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- T1033 - System Owner/User Discovery
- **TA0009 - Collection**
- T1560 - Archive Collected Data
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S)
- T1573.002 - Encrypted Channel: Asymmetric Cryptography
## Functionality
### Core Capabilities
- **Information Gathering:** Periodically collects system metadata, user information, and active process lists to send back to the attackers.
- **Remote Command Execution:** Receives and executes arbitrary commands or additional payloads from the Command and Control (C2) server.
- **Persistence:** Establishes itself within the system to survive reboots, ensuring continuous access for intelligence harvesting.
### Advanced Features
- **Golang Implementation:** The use of Go provides the malware with high performance, modularity, and inherent evasion against legacy signature-based detection due to the way Go binaries are compiled and structured.
- **Stealthy Exfiltration:** Utilizes encrypted channels to mask the exfiltration of sensitive diplomatic or government data, blending in with legitimate web traffic.
## Indicators of Compromise
*(Note: Based on the provided article snippet, specific hashes and domains are not listed. Below are placeholders based on common Go-malware behavior.)*
- **File Hashes:** [Specific hashes not provided in context]
- **File Names:** `svchost_update.exe`, `goserpent_svc.exe` (Typical masquerading names)
- **Registry Keys:** `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SearchIndexer`
- **Network Indicators:**
- `hxxp[:]//api[.]serpent-cloud[.]com/v1/update`
- `hxxp[:]//192[.]168[.]44[.]12[.]static[.]provider[.]net`
- **Behavioral Indicators:** Unexpected Go-based binaries making frequent outbound connections to external IPs over port 443; creation of hidden directories in `%APPDATA%`.
## Associated Threat Actors
- **Unknown / Emerging Threat Actor:** Currently attributed to a likely state-sponsored group with interests in Southeast Asian geopolitical intelligence.
## Detection Methods
- **Signature-based detection:** Scanning for specific Go-runtime artifacts and unique strings associated with the GoSerpent codebase.
- **Behavioral detection:** Monitoring for unusual registry modifications and reconnaissance commands (e.g., `whoami`, `tasklist`, `netstat`) executed by non-standard processes.
- **YARA rules:** Rules targeting the Go-specific symbol tables and the unique encryption routines used by GoSerpent.
## Mitigation Strategies
- **Prevention measures:** Implement robust email filtering to block initial delivery vectors (often phishing) and restrict the execution of unsigned binaries.
- **Hardening recommendations:** Enforce the principle of least privilege (PoLP) to prevent the malware from establishing high-level persistence; monitor for unauthorized changes to "Run" registry keys.
## Related Tools/Techniques
- **Go-based malware:** Similar to *Go-Spy* or *WellMess*.
- **DLL Side-Loading:** Often used by similar actors in the region to deploy the initial loader for the GoSerpent payload.