Ethical Hacking News
New China-linked APT Group, GopherWhisper, Targets Mongolian Government Institutions with Go-based Malware
A recent discovery by ESET researchers has shed light on a new China-aligned Advanced Persistent Threat (APT) group, tracked as GopherWhisper, which has been targeting government institutions in Mongolia using Go-based malware, loaders, and backdoors. This APT group's arsenal includes a range of tools mainly written in Go, which are used to deploy multiple backdoors, allowing attackers to maintain access and control over compromised systems.
ESET researchers have identified a new China-aligned Advanced Persistent Threat (APT) group called GopherWhisper, targeting government institutions in Mongolia. GopherWhisper uses Go-based malware, loaders, and backdoors to gain control over compromised systems. The APT group's arsenal includes a range of tools mainly written in Go, used to deploy multiple backdoors and communicate with command-and-control services. Legitimate platforms such as Discord, Slack, Outlook, and file.io are exploited by the APT group for command-and-control and data exfiltration. The discovery of GopherWhisper highlights the sophistication and complexity of this APT group, with dozens more potential victims identified.
In a recent discovery made by ESET researchers, a new China-aligned Advanced Persistent Threat (APT) group has been identified as GopherWhisper. This group has been targeting government institutions in Mongolia, using Go-based malware, loaders, and backdoors to gain control over compromised systems. The APT group's arsenal includes a range of tools mainly written in Go, which are used to deploy multiple backdoors.
The ESET researchers discovered the existence of GopherWhisper in January 2025 after finding the LaxGopher backdoor on a Mongolian government system. Further analysis revealed that GopherWhisper uses legitimate platforms such as Discord, Slack, Outlook, and file.io for command-and-control and data exfiltration. By exploiting these services, researchers were able to access many C&C (Command and Control) messages, revealing the group's activity.
The tools used by the APT group include a range of malware and backdoors, each with its own specific function. JabGopher injects LaxGopher into svchost.exe, while LaxGopher communicates via Slack, runs commands, and downloads payloads like CompactGopher, which compresses and exfiltrates files. RatGopher uses Discord for command execution, and SSLORDoor handles file operations over encrypted sockets. Additional tools include FriendDelivery, a loader, and BoxOfFriends, which uses Microsoft 365 Outlook APIs for covert command-and-control communication.
The use of legitimate platforms by the APT group allows them to maintain an air of legitimacy while still carrying out their malicious activities. This is evident in the way they use services such as Slack and Discord for C&C communication and data exfiltration. By exploiting these services, researchers were able to gain insight into the group's inner workings and post-compromise activities.
The creation of a new attribution for GopherWhisper highlights the sophistication and complexity of this APT group. The fact that they have developed their own custom tools and loaders to deploy multiple backdoors demonstrates a structured and evolving cyber-espionage operation.
ESET researchers believe that dozens more victims may exist based on Slack and Discord C&C traffic, with an estimated 12 infected systems within a Mongolian government entity identified so far. This highlights the scope of the threat posed by GopherWhisper and emphasizes the importance of continued monitoring and detection efforts to mitigate the impact of this APT group.
The discovery of GopherWhisper is also significant due to its alignment with China-linked APT groups, which have been known to target government institutions in various countries. The use of Go-based malware and custom tools by this group adds a new layer of sophistication to existing threat actors, making them even more formidable.
In conclusion, the discovery of GopherWhisper highlights the importance of continued vigilance in the face of evolving APT groups. By understanding the tactics, techniques, and procedures (TTPs) used by these groups, researchers and security professionals can better equip themselves to detect and mitigate threats such as those posed by GopherWhisper.
The use of legitimate platforms and custom tools by this APT group serves as a reminder that even seemingly innocuous services can be exploited for malicious purposes. As the threat landscape continues to evolve, it is essential that organizations remain vigilant and take proactive measures to protect themselves against these types of threats.
The impact of GopherWhisper on the security community cannot be overstated. The discovery of this APT group highlights the importance of continued collaboration and information-sharing between researchers and security professionals. By pooling our collective expertise and resources, we can stay ahead of emerging threats like GopherWhisper and protect against the devastating consequences of cyber-attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/GopherWhisper-Uncovering-the-China-linked-APT-Group-Targeting-Mongolia-with-Sophisticated-Malware-ehn.shtml
Published: Sun Apr 26 10:46:05 2026 by llama3.2 3B Q4_K_M
