In February 2026, Kaspersky researchers uncovered a sophisticated espionage campaign targeting government and diplomatic entities across Southeast Asia. The center of this operation is a previously undocumented malware family dubbed GoSerpent. Active since late 2025, this threat is designed with a singular focus: establishing long-term persistence within sensitive networks to facilitate sustained intelligence gathering.
For defenders in the diplomatic and government sectors (and those managing supply chains touching them), GoSerpent represents a high-confidence threat to state secrets and diplomatic communications. Unlike financially motivated operations, this campaign prioritizes stealth and endurance. If you are responsible for securing high-value networks in the APAC region, immediate threat hunting and hardening of outbound controls are required.
Technical Analysis
Threat Overview: GoSerpent is a malicious software framework written in the Go (Golang) programming language. The use of Go suggests a desire for cross-platform capabilities (Windows/Linux) and ease of compilation, complicating static analysis for defenders.
Target Profile:
- Geography: Southeast Asia
- Verticals: Government agencies, Diplomatic missions
- Objective: Long-term access, Espionage
Attack Lifecycle: While the initial infection vector (Intrusion Vector) has not been publicly disclosed in the initial reporting, the malware's primary function post-exploitation is to maintain a foothold. Malware families like GoSerpent typically employ:
- Persistence: Scheduled tasks, services, or launch agents to re-instantiate the payload upon reboot.
- C2 Communication: Encrypted channels to command-and-control (C2) infrastructure, often masquerading as legitimate web traffic to blend with diplomatic browsing habits.
- Data Exfiltration: Slow, low-volume siphoning of documents and credentials to avoid triggering bandwidth-based anomaly detection.
Exploitation Status: This is an active campaign. The operators have successfully breached targets as of late 2025 and maintained access into 2026. There is no CVE associated with this specific report; the threat is the malware itself and the operators' tradecraft.
Detection & Response
Given the lack of specific IOCs (Hashes/IPs) in the initial disclosure, defenders must rely on behavioral detection. The following rules focus on the anomalies inherent to Go-compiled malware and persistence mechanisms typical of espionage tools.
SIGMA Rules
---
title: Potential GoSerpent Execution - Suspicious Unsigned Go Binary
id: 8a2b4c5d-6e7f-8a9b-0c1d-2e3f4a5b6c7d
status: experimental
description: Detects execution of unsigned Go binaries (Company Name: Go) in user-writable paths, indicative of GoSerpent or similar droppers.
references:
- https://thehackernews.com/2026/07/new-goserpent-malware-targets-southeast.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '.exe'
CompanyName: 'Go'
Signed: 'false'
Image|contains:
- '\Downloads\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\AppData\Roaming\'
condition: selection
falsepositives:
- Legitimate portable tools used by administrators
level: high
---
title: Suspicious Scheduled Task Creation for Long-Term Access
id: 9b3c5d6e-7f8a-9b0c-1d2e-3f4a5b6c7d8e
status: experimental
description: Detects the creation of scheduled tasks by non-admin users or utilizing unusual triggers, a common persistence method for espionage tools like GoSerpent.
references:
- https://thehackernews.com/2026/07/new-goserpent-malware-targets-southeast.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.persistence
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- '/create'
- '/sc'
- '/tn'
filter_admin:
SubjectUserName|contains:
- 'ADMIN'
- 'SYSTEM'
condition: selection and not filter_admin
falsepositives:
- User-initiated task scheduling
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for unsigned Go binaries often used in GoSerpent style campaigns
// Focus on processes spawned from user directories to avoid noise from signed Go services
DeviceProcessEvents
| where Timestamp >= ago(30d)
| where ProcessVersionInfoCompanyName == "Go"
| where IsSigned == false
| where FolderPath contains "Users"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256
| order by Timestamp desc
Velociraptor VQL
-- Hunt for recently modified executables in user directories characteristic of GoSerpent droppers
SELECT FullPath, Size, Mtime, Mode, Sys.OSPath.Basename(Name) as Name
FROM glob(globs='/*', root=srcDir='C:/Users/')
WHERE Mode =~ 'x'
AND Mtime > now() - 180
AND Name =~ '\.(exe|dll)$'
AND NOT FullPath =~ '\\AppData\\Local\\Microsoft\\'
Remediation Script (PowerShell)
# Security Arsenal - GoSerpent Response Audit
# Scans for unsigned Go binaries in user directories
Write-Host "Starting audit for suspicious Go binaries..."
$paths = @("C:\Users\*\Downloads\*.exe", "C:\Users\*\Desktop\*.exe", "C:\Users\*\AppData\Local\Temp\*.exe", "C:\Users\*\AppData\Roaming\*.exe")
$findings = @()
foreach ($path in $paths) {
Get-ChildItem -Path $path -ErrorAction SilentlyContinue | ForEach-Object {
$file = $_
try {
$sig = Get-AuthenticodeSignature -FilePath $file.FullName
# Check for unsigned files or files with CompanyName matching Go
$versionInfo = $file.VersionInfo
if ($sig.Status -ne 'Valid' -and $versionInfo.CompanyName -eq 'Go') {
$findings += [PSCustomObject]@{
Path = $file.FullName
Status = $sig.Status
Company = $versionInfo.CompanyName
Time = $file.LastWriteTime
}
}
} catch {
# Ignore errors accessing locked files
}
}
}
if ($findings.Count -gt 0) {
Write-Host "[!] Potential GoSerpent artifacts found:" -ForegroundColor Red
$findings | Format-Table -AutoSize
} else {
Write-Host "[+] No suspicious unsigned Go binaries found in user directories." -ForegroundColor Green
}
Remediation
Since GoSerpent is malware rather than a vulnerability, "patching" refers to the removal of the artifact and closing the infection vector.
- Isolate Affected Hosts: Immediately isolate any endpoints returning positive hits for the behavioral detection rules above.
- Forensic Acquisition: Capture a full memory image and disk clone of affected machines before attempting remediation to establish the Initial Access Vector.
- Artifact Removal: Delete the identified malicious executables.
- Persistence Purging: Review Scheduled Tasks, Registry Run keys, and Services. Remove any entries referencing the deleted binaries.
- Credential Reset: Assume credential theft. Reset all privileged credentials used on the affected machine since late 2025.
- Network Restriction: Implement stricter egress filtering. Diplomatic entities should utilize proxies to inspect outbound TLS traffic, preventing C2 communication.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.