- Kaspersky uncovers GoSerpent, a long-running campaign on Southeast Asian government systems using a backdoor, RAT (Stowaway), and exfiltration tool (TmcLoader)
- The attackers showed extreme patience and waited weeks before deploying secondary tools to evade detection and survive log retention policies.
- Attribution remains uncertain, but overlaps with previous TetrisPhantom operations; Defenders are urged to review shared IoCs for compromises.
Kaspersky security researchers discovered five-year-old malware that has been hiding on government computers in the Southeast Asia region, harvesting secrets and other actionable intelligence.
The company analyzed a campaign called GoSerpent, which consists of a backdoor of the same name, a remote access trojan (RAT) called Stowaway, and a two-stage data exfiltration tool called TmcLoader.
The backdoor was said to have been used for the first time in 2021, meaning it was successfully hidden for half a decade. This was achieved, among other things, with a lot of patience and careful planning.
Phantom Tetris
“What stands out about GoSerpent is the deliberate dwell time,” explained Noushin Shabab, senior security researcher at Kaspersky GReAT.
“Typically, attackers want to move quickly once they get a foothold, but this group drops the initial backdoor and waits. They let the dust settle for weeks before deploying their secondary exfiltration tools like TmcLoader. That kind of patience is a calculated move designed to outlast standard log retention policies and automated security sweeps, making it incredibly difficult for defenders to connect the initial infection to the eventual data theft.”
The researchers could not conclusively attribute this campaign to any particular threat actor, but they did say that it has a lot in common with older campaigns run by the TetrisPhantom actor, including victimology, technical capabilities, and operational methods.
Kaspersky analyzed TetrisPhantom in 2023, when it saw the group compromising secure USB drives used to provide encryption for secure data storage. This campaign also targeted government entities in the Asia-Pacific (APAC) region, but at the time, this was a newly discovered threat actor that did not overlap with other known groups.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




