China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors

Severity
Medium

Detail

Cybersecurity researchers have identified a previously unknown advanced persistent threat (APT) group named GopherWhisper, believed to be aligned with China, targeting Mongolian government institutions. According to findings by ESET, the group relies heavily on malware written in Go (Golang) and has infected at least 12 systems within a Mongolian government environment. The attackers use multiple backdoors and tools to maintain access, execute commands, and exfiltrate sensitive data.

A key characteristic of this campaign is the abuse of legitimate platforms such as Discord, Slack, Microsoft Outlook, and file-sharing services like file.io for command-and-control (C2) communication and data exfiltration. This approach helps the attackers blend malicious traffic with normal activity, making detection more difficult. The campaign was first discovered in January 2025 following the detection of a new backdoor called LaxGopher. Further analysis revealed a broader toolkit of malware designed for espionage and long-term persistence.

How?

The exact initial access method remains unknown, but once attackers gain a foothold, they deploy a multi-stage toolset to maintain control and steal data.

The attack begins with an injector called JabGopher, which deploys the LaxGopher backdoor. LaxGopher communicates with attackers via Slack, allowing them to execute system commands and download additional payloads. It also deploys CompactGopher, a tool that searches for sensitive files (such as documents, spreadsheets, and PDFs), compresses and encrypts them, and uploads them to file-sharing services.

Another backdoor, RatGopher, uses Discord as its communication channel to execute commands and transfer files. In parallel, a C++-based backdoor named SSLORDoor enables deeper system control through encrypted communication over port 443.

The attackers also use a loader called FriendDelivery to deploy another backdoor, BoxOfFriends, which leverages Microsoft Outlook via the Microsoft Graph API. It creates draft emails using attacker-controlled accounts to exchange commands and data, effectively hiding malicious activity within normal email traffic.

Recommendation & Conclusion

Organizations, especially government entities, should take proactive measures to defend against such advanced threats:

• Monitor unusual use of legitimate platforms like Slack, Discord, and Outlook for C2 activity
• Inspect outbound traffic to file-sharing services for potential data exfiltration
• Implement endpoint detection to identify abnormal process execution (e.g., cmd.exe misuse)
• Regularly audit systems for unauthorized tools or persistence mechanisms
• Apply strict access controls and network segmentation

In conclusion, this campaign highlights a growing trend where advanced threat actors abuse trusted services to evade detection. The use of modular, Go-based malware and legitimate communication channels makes GopherWhisper a serious espionage threat requiring strong behavioral monitoring and layered security defenses.

Source

https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html