Securelist
GoSerpent Backdoor Steals Sensitive Data from Southeast Asian Governments
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A cyber espionage campaign utilizing the GoSerpent backdoor has infiltrated government networks in Southeast Asia for over five years, harvesting sensitive police and biometric data. The operation, revealed by Kaspersky's GReAT, involved the use of a sophisticated remote access Trojan (RAT) that disguised its data exfiltration as legitimate internal traffic. The attackers employed stolen credentials to access and transfer data without raising alarms. The GoSerpent malware, which has evolved since its initial deployment in 2021, now includes advanced encryption methods and additional tools for stealthy data collection. The campaign's persistence and sophistication highlight significant vulnerabilities in governmental cybersecurity measures across the region. The latest variant was actively used in attacks that began in late 2025 and continued into 2026.
Key Points: • GoSerpent has been active since at least 2021, targeting Southeast Asian governments. • The malware uses stolen credentials to exfiltrate data without triggering security alerts. • Recent variants of GoSerpent include advanced encryption and additional stealth tools.