GoSerpent: A New Espionage Tool Quietly Targeting Southeast Asian Governments
Kaspersky says the previously unseen malware has been hitting government and diplomatic offices across the region since late 2025, with signs pointing to long-term spying rather than smash-and-grab theft.

Key points
- Kaspersky disclosed a previously undocumented malware family called GoSerpent in February 2026, tracking attacks that began in late 2025.
- The campaign targets government and diplomatic organisations in Southeast Asia, according to Kaspersky's telemetry.
- The operators appear focused on quiet, long-term access and intelligence gathering rather than immediate disruption.
- Public attribution to a specific state-linked group has not been made, and no vendor cluster name has been assigned yet.
- Affected sectors handle sensitive diplomatic communications, raising the stakes of any successful intrusion.
Researchers at Kaspersky say they have found a new piece of spying software they call GoSerpent, and it has been quietly used against government offices and embassies in Southeast Asia since late 2025.
The Russian security company disclosed the activity in February 2026. In the language of threat intelligence, GoSerpent is a previously undocumented malware family, meaning no vendor had published on it before. It is malicious software: a program installed on a victim's computer without permission, designed to give the attackers a foothold inside the network.
The reporting, also picked up by The Hacker News, describes a campaign aimed squarely at government and diplomatic entities in the region.
Who is behind GoSerpent?
Nobody has said yet, at least not on the record. Kaspersky has not tied the malware to a named group such as Mustang Panda or one of the other China-nexus clusters that habitually work Southeast Asian diplomatic targets. No vendor cluster name (the shorthand labels like APT41 or Naikon that CTI teams use to group related activity) has been attached to GoSerpent in public reporting.
That matters. Attribution in this part of the world is crowded. Several state-linked groups, tracked under different names by different vendors, have overlapping targeting and sometimes overlapping tooling. Without indicators of compromise (the technical fingerprints, such as file hashes or server addresses, that let defenders match one intrusion to another) it is too early to say who is running this operation.
What Kaspersky's account does support, at medium confidence based on the described behaviour, is intent. The malware is built for persistence and quiet collection. That profile fits espionage, not cybercrime.
What does the malware actually do?
GoSerpent is designed to sit on a compromised machine and stay there. Kaspersky's write-up frames the goal as long-term access and intelligence gathering. In plain terms: the attackers want to read what the target reads, for as long as possible, without being noticed.
That is the standard playbook for state-aligned spying. Get in through a phishing email or an unpatched server. Install a quiet backdoor, a hidden door into the system that the attackers can walk through whenever they like. Then wait, watch, and copy documents out slowly enough to avoid tripping alarms.
Capability is one thing. Intent is another. The victims here, diplomats and government staff, tell you what the operators are after: cables, positions, negotiation notes, personal contacts.
Should ordinary people be worried?
Not directly. This is not a consumer campaign. Nobody's online banking is at risk from GoSerpent.
But the wider point is worth holding onto. Diplomatic networks carry information that shapes trade deals, border talks and security pacts. When a foreign intelligence service reads that traffic for months, the effects ripple out to citizens who never touched a compromised laptop.
For defenders in the region, the practical action is unglamorous. Hunt for unusual outbound traffic. Check mail gateways for spear-phishing (targeted fake emails written to trick a specific person). Patch internet-facing servers. Assume, for now, that GoSerpent samples are still being triaged and that more indicators will follow from Kaspersky and other vendors in the coming weeks.
Until then, treat single-source reporting as exactly that. One vendor, one telemetry set, one early read.



