[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-goserpent-backdoor-spent-five-years-in-apac-government-networks":10,"sections":45},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":34,"tags":35,"sources":40,"feedback":44,"feedback_at":22,"cost_usd":44,"total_tokens":44},4818,"goserpent-backdoor-spent-five-years-in-apac-government-networks","GoSerpent Backdoor Spent Five Years in APAC Government Networks","Kaspersky's GoSerpent analysis reveals a five-year APAC government campaign where attackers waited weeks before deploying data-theft tools.","A security campaign targeting Southeast Asian governments has been hiding in plain sight since 2021.\n\nKaspersky's threat intelligence team identified GoSerpent, a three-component operation built around a backdoor of the same name, a Remote Access Trojan called Stowaway, and a two-stage exfiltration framework called TmcLoader. The backdoor first appeared in 2021 and spent five years undetected. After planting that backdoor, attackers waited weeks before deploying secondary tools, a deliberate pause timed to outlast log retention windows. Noushin Shabab, Lead Security Researcher at Kaspersky GReAT, described it: \"Usually, attackers want to move quickly once they get a foothold, but this group drops the initial backdoor and waits. They let the dust settle for weeks before deploying their secondary exfiltration tools like TmcLoader. That kind of patience is a calculated move designed to outlast standard log retention policies and automated security sweeps, making it incredibly difficult for defenders to connect the initial infection to the eventual data theft.\"\n\nKaspersky cannot firmly tie GoSerpent to any known actor, but it finds strong overlaps with TetrisPhantom, a group it tracked in 2023 for compromising encrypted USB drives used by the same regional governments. If the link holds, it suggests an actor that previously relied on hardware-based access has graduated to persistent software implants, a meaningful escalation in both sophistication and staying power.\n\nFive years is a long time to hide in a government network, and the more uncomfortable question is how many similar campaigns are still running undetected.","[\"malware\",\"espionage\",\"southeast asia\",\"threat intelligence\"]","2026-07-17T15:05:00.000Z","2026-07-17T16:04:58.582Z","2026-07-17T16:05:01.380Z","published",null,[24,30],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"The dek says attackers 'waited weeks before stealing data' but the body says the malware 'spent five years quietly on government computers' — the five-year figure refers to total dwell time since 2021 to discovery, not a waiting period before exfiltration, and this conflation needs to be resolved; additionally, the article omits the direct quote from Noushin Shabab that appears in the source and supports the dwell-time claim, which should either be included or explicitly cut, not silently droppe","resolved",{"id":31,"reviewer":26,"round":32,"reason":33,"status":29},"editor-r2",2,"The dek still conflates the five-year dwell time with the 'waiting weeks' delay between initial backdoor and secondary tool deployment — these are two distinct facts that must not be merged into a single misleading claim in the dek; additionally, [editor-r1] is not resolved because the Noushin Shabab quote in the body is not a verbatim reproduction of the source quote (the article omits the opening sentences 'Usually, attackers want to move quickly once they get a foothold, but this group drops ","security",[36,37,38,39],"malware","espionage","southeast asia","threat intelligence",[41],{"name":42,"url":43},"TechRadar","https:\u002F\u002Fwww.techradar.com\u002Fpro\u002Fsecurity\u002Fdangerous-new-goserpent-malware-is-apparently-on-the-hunt-for-government-secrets",0,{"sections":46},[47,52,56,61,66,71,76,81,86,91,96,101,106,111],{"name":48,"slug":49,"count":50,"latest_published_at":51},"AI","ai",2601,"2026-07-17T17:00:27.000Z",{"name":53,"slug":34,"count":54,"latest_published_at":55},"Security",314,"2026-07-17T18:44:13.000Z",{"name":57,"slug":58,"count":59,"latest_published_at":60},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":62,"slug":63,"count":64,"latest_published_at":65},"Policy","policy",167,"2026-07-17T14:53:59.000Z",{"name":67,"slug":68,"count":69,"latest_published_at":70},"Hardware","hardware",126,"2026-07-16T20:09:48.000Z",{"name":72,"slug":73,"count":74,"latest_published_at":75},"Consumer Tech","consumer-tech",94,"2026-07-16T16:29:46.000Z",{"name":77,"slug":78,"count":79,"latest_published_at":80},"Software","software",72,"2026-07-17T09:42:05.000Z",{"name":82,"slug":83,"count":84,"latest_published_at":85},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":87,"slug":88,"count":89,"latest_published_at":90},"Dev Tools","dev-tools",60,"2026-07-16T16:59:13.000Z",{"name":92,"slug":93,"count":94,"latest_published_at":95},"Startups","startups",42,"2026-07-16T16:30:35.000Z",{"name":97,"slug":98,"count":99,"latest_published_at":100},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":102,"slug":103,"count":104,"latest_published_at":105},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":107,"slug":108,"count":109,"latest_published_at":110},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":112,"slug":113,"count":114,"latest_published_at":115},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]