A security campaign targeting Southeast Asian governments has been hiding in plain sight since 2021.
Kaspersky's threat intelligence team identified GoSerpent, a three-component operation built around a backdoor of the same name, a Remote Access Trojan called Stowaway, and a two-stage exfiltration framework called TmcLoader. The backdoor first appeared in 2021 and spent five years undetected. After planting that backdoor, attackers waited weeks before deploying secondary tools, a deliberate pause timed to outlast log retention windows. Noushin Shabab, Lead Security Researcher at Kaspersky GReAT, described it: "Usually, attackers want to move quickly once they get a foothold, but this group drops the initial backdoor and waits. They let the dust settle for weeks before deploying their secondary exfiltration tools like TmcLoader. That kind of patience is a calculated move designed to outlast standard log retention policies and automated security sweeps, making it incredibly difficult for defenders to connect the initial infection to the eventual data theft."
Kaspersky cannot firmly tie GoSerpent to any known actor, but it finds strong overlaps with TetrisPhantom, a group it tracked in 2023 for compromising encrypted USB drives used by the same regional governments. If the link holds, it suggests an actor that previously relied on hardware-based access has graduated to persistent software implants, a meaningful escalation in both sophistication and staying power.
Five years is a long time to hide in a government network, and the more uncomfortable question is how many similar campaigns are still running undetected.