- Kaspersky reveals GoSerpent, a long-running campaign on Southeast Asian government systems using a backdoor, RAT (Stowaway) and exfiltration tool (TmcLoader)
- Attackers showed extreme patience and waited weeks before deploying secondary tools to avoid detection and survive log retention policies
- Attribution remains uncertain, but overlaps with previous TetrisPhantom operations; defenders are encouraged to review shared IoCs to detect compromise
Security researchers Kaspersky discovered a five-year-old piece of malware that has been hiding on government computers in the Southeast Asian region, harvesting secrets and other actionable intelligence.
The company analyzed a campaign called GoSerpent, which consists of a backdoor of the same name, a Remote Access Trojan (RAT) called Stowaway, and a two-stage data exfiltration tool called TmcLoader.
The backdoor was only used in 2021, it was said, which meant it was successfully hidden for half a decade. This was achieved, among other things, with lots of patience and careful planning.
Tetris Phantom
“What stands out about GoSerpent is the intentional dwell time,” explained Noushin Shabab, lead security researcher at Kaspersky GReAT.
“Normally, attackers want to move quickly once they gain a foothold, but this group ditches the initial backdoor and waits. They let the dust settle for weeks before deploying their secondary exfiltration tools like TmcLoader. That kind of patience is a calculated move designed to survive standard log retention policies and automated security sweeps, making it incredibly difficult to connect the original infections to the initial infection.”
The researchers could not definitively attribute this campaign to any particular threat actor, but said it has much in common with older campaigns carried out by the TetrisPhantom actor, including victimology, technical capabilities and operational methods.
Kaspersky analyzed TetrisPhantom back in 2023 when it saw the group compromise secure USB drives used to provide encryption for secure data storage. This campaign also targeted government entities in the Asia-Pacific (APAC) region, but at the time it was a newly discovered threat actor with no overlap with other known groups.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



