TetrisPhantom is an espionage-focused threat actor identified in late 2024 and associated with intrusions against government institutions, including activity in Southeast Asia. The actor has been linked to malware delivery through trojanized USB-related software and appears to prioritize covert access, long-term persistence, and intelligence collection from public-sector targets. A possible connection has been noted between TetrisPhantom and later Southeast Asian espionage operations involving the GoSerpent malware ecosystem, but that attribution remains unconfirmed. Observed tradecraft associated with TetrisPhantom and potentially related operations includes the use of Go-based remote access tools and proxy malware, Windows service-based persistence, encrypted or obfuscated configuration handling, credential theft, staged file collection, and delayed exfiltration. Related tooling has supported capabilities such as remote shell access, file transfer, SOCKS5 proxying, port forwarding, reverse tunneling, and deployment of follow-on payloads. Associated collection activity has focused on documents of intelligence value, while credential-access activity has included theft of account material to facilitate lateral movement and exfiltration through internal network shares. The broader malware ecosystem potentially tied to this actor includes GoSerpent, McMx, Stowaway, ThumbcacheService, and the TmcLoader/TmcPayload chain. These tools indicate an operator comfortable combining custom malware, modified open-source tooling, stealthy in-memory execution, and multi-stage exfiltration workflows. Despite these overlaps in targeting and methodology, public attribution connecting the GoSerpent campaign to TetrisPhantom is not confirmed. Known alias: tetrisphantom.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
22 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Potentially linked to a sophisticated espionage-oriented campaign targeting government and diplomatic entities in Southeast Asia using GoSerpent, Stowaway, ThumbcacheService, credential dumping tools, and TmcLoader/TmcPayload for long-term collection and exfiltration of sensitive data.
Potentially linked to the GoSerpent espionage campaign targeting government and diplomatic entities in Southeast Asia, involving long-term access, credential dumping, file collection, proxying, and staged data exfiltration.
Espionage against government institutions using Trojanized USB software.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.