Back to Intelligence

GoSerpent Malware: Detection and Defense Strategies for Southeast Asian Diplomacy

SA
Security Arsenal Team
July 18, 2026
5 min read

In February 2026, Kaspersky researchers uncovered a sophisticated espionage campaign targeting government and diplomatic entities across Southeast Asia. The center of this operation is a previously undocumented malware family dubbed GoSerpent. Active since late 2025, this threat is designed with a singular focus: establishing long-term persistence within sensitive networks to facilitate sustained intelligence gathering.

For defenders in the diplomatic and government sectors (and those managing supply chains touching them), GoSerpent represents a high-confidence threat to state secrets and diplomatic communications. Unlike financially motivated operations, this campaign prioritizes stealth and endurance. If you are responsible for securing high-value networks in the APAC region, immediate threat hunting and hardening of outbound controls are required.

Technical Analysis

Threat Overview: GoSerpent is a malicious software framework written in the Go (Golang) programming language. The use of Go suggests a desire for cross-platform capabilities (Windows/Linux) and ease of compilation, complicating static analysis for defenders.

Target Profile:

  • Geography: Southeast Asia
  • Verticals: Government agencies, Diplomatic missions
  • Objective: Long-term access, Espionage

Attack Lifecycle: While the initial infection vector (Intrusion Vector) has not been publicly disclosed in the initial reporting, the malware's primary function post-exploitation is to maintain a foothold. Malware families like GoSerpent typically employ:

  1. Persistence: Scheduled tasks, services, or launch agents to re-instantiate the payload upon reboot.
  2. C2 Communication: Encrypted channels to command-and-control (C2) infrastructure, often masquerading as legitimate web traffic to blend with diplomatic browsing habits.
  3. Data Exfiltration: Slow, low-volume siphoning of documents and credentials to avoid triggering bandwidth-based anomaly detection.

Exploitation Status: This is an active campaign. The operators have successfully breached targets as of late 2025 and maintained access into 2026. There is no CVE associated with this specific report; the threat is the malware itself and the operators' tradecraft.

Detection & Response

Given the lack of specific IOCs (Hashes/IPs) in the initial disclosure, defenders must rely on behavioral detection. The following rules focus on the anomalies inherent to Go-compiled malware and persistence mechanisms typical of espionage tools.

SIGMA Rules

YAML
---
title: Potential GoSerpent Execution - Suspicious Unsigned Go Binary
id: 8a2b4c5d-6e7f-8a9b-0c1d-2e3f4a5b6c7d
status: experimental
description: Detects execution of unsigned Go binaries (Company Name: Go) in user-writable paths, indicative of GoSerpent or similar droppers.
references:
  - https://thehackernews.com/2026/07/new-goserpent-malware-targets-southeast.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '.exe'
    CompanyName: 'Go'
    Signed: 'false'
    Image|contains:
      - '\Downloads\'
      - '\AppData\Local\Temp\'
      - '\Desktop\'
      - '\AppData\Roaming\'
  condition: selection
falsepositives:
  - Legitimate portable tools used by administrators
level: high
---
title: Suspicious Scheduled Task Creation for Long-Term Access
id: 9b3c5d6e-7f8a-9b0c-1d2e-3f4a5b6c7d8e
status: experimental
description: Detects the creation of scheduled tasks by non-admin users or utilizing unusual triggers, a common persistence method for espionage tools like GoSerpent.
references:
  - https://thehackernews.com/2026/07/new-goserpent-malware-targets-southeast.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.persistence
  - attack.t1053.005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\schtasks.exe'
    CommandLine|contains:
      - '/create'
      - '/sc'
      - '/tn'
  filter_admin:
    SubjectUserName|contains:
      - 'ADMIN'
      - 'SYSTEM'
  condition: selection and not filter_admin
falsepositives:
  - User-initiated task scheduling
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for unsigned Go binaries often used in GoSerpent style campaigns
// Focus on processes spawned from user directories to avoid noise from signed Go services
DeviceProcessEvents
| where Timestamp >= ago(30d)
| where ProcessVersionInfoCompanyName == "Go" 
| where IsSigned == false 
| where FolderPath contains "Users"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recently modified executables in user directories characteristic of GoSerpent droppers
SELECT FullPath, Size, Mtime, Mode, Sys.OSPath.Basename(Name) as Name
FROM glob(globs='/*', root=srcDir='C:/Users/')
WHERE Mode =~ 'x' 
  AND Mtime > now() - 180 
  AND Name =~ '\.(exe|dll)$'
  AND NOT FullPath =~ '\\AppData\\Local\\Microsoft\\'

Remediation Script (PowerShell)

PowerShell
# Security Arsenal - GoSerpent Response Audit
# Scans for unsigned Go binaries in user directories

Write-Host "Starting audit for suspicious Go binaries..."

$paths = @("C:\Users\*\Downloads\*.exe", "C:\Users\*\Desktop\*.exe", "C:\Users\*\AppData\Local\Temp\*.exe", "C:\Users\*\AppData\Roaming\*.exe")
$findings = @()

foreach ($path in $paths) {
    Get-ChildItem -Path $path -ErrorAction SilentlyContinue | ForEach-Object {
        $file = $_
        try {
            $sig = Get-AuthenticodeSignature -FilePath $file.FullName
            # Check for unsigned files or files with CompanyName matching Go
            $versionInfo = $file.VersionInfo
            if ($sig.Status -ne 'Valid' -and $versionInfo.CompanyName -eq 'Go') {
                $findings += [PSCustomObject]@{
                    Path = $file.FullName
                    Status = $sig.Status
                    Company = $versionInfo.CompanyName
                    Time = $file.LastWriteTime
                }
            }
        } catch {
            # Ignore errors accessing locked files
        }
    }
}

if ($findings.Count -gt 0) {
    Write-Host "[!] Potential GoSerpent artifacts found:" -ForegroundColor Red
    $findings | Format-Table -AutoSize
} else {
    Write-Host "[+] No suspicious unsigned Go binaries found in user directories." -ForegroundColor Green
}

Remediation

Since GoSerpent is malware rather than a vulnerability, "patching" refers to the removal of the artifact and closing the infection vector.

  1. Isolate Affected Hosts: Immediately isolate any endpoints returning positive hits for the behavioral detection rules above.
  2. Forensic Acquisition: Capture a full memory image and disk clone of affected machines before attempting remediation to establish the Initial Access Vector.
  3. Artifact Removal: Delete the identified malicious executables.
  4. Persistence Purging: Review Scheduled Tasks, Registry Run keys, and Services. Remove any entries referencing the deleted binaries.
  5. Credential Reset: Assume credential theft. Reset all privileged credentials used on the affected machine since late 2025.
  6. Network Restriction: Implement stricter egress filtering. Diplomatic entities should utilize proxies to inspect outbound TLS traffic, preventing C2 communication.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachgoserpentaptespionagemalwarese-asia

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.