China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors

China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors

A previously undocumented China-aligned advanced persistent threat group dubbed GopherWhisper has been discovered targeting Mongolian governmental institutions. The group was first identified in January 2025 following the discovery of a novel backdoor named LaxGopher on a system belonging to a Mongolian governmental entity. According to Slovakian cybersecurity company ESET, GopherWhisper has been active since at least November 2023 and has compromised approximately 12 systems associated with the Mongolian government institution.

GopherWhisper employs a diverse arsenal of Go-based and C++ tools, using injectors and loaders to deploy various backdoors. The group’s malware includes JabGopher (an injector for LaxGopher), LaxGopher (a Go-based backdoor using Slack for command and control), CompactGopher (a file collection utility that compresses and encrypts stolen documents), RatGopher (a Go-based backdoor using Discord for command and control), SSLORDoor (a C++ backdoor using raw sockets), and BoxOfFriends (a backdoor using Microsoft Graph API and Outlook draft emails for command and control). The group abuses legitimate services including Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control communication and data exfiltration, making detection more difficult.

ESET researchers attributed GopherWhisper to a China-aligned group based on multiple indicators. Timestamp inspection of Slack and Discord messages showed the bulk of communications were sent during working hours between 8 AM and 5 PM, which aligns with China Standard Time. Additionally, the locale for the configured user in Slack metadata was set to this time zone. The group’s targeting of Mongolian governmental institutions also aligns with China’s geopolitical interests in the region. The exact initial access vector remains unknown, but the group demonstrates sophisticated operational security by blending malicious traffic with legitimate cloud services.

This discovery highlights the ongoing threat posed by state-aligned actors targeting governmental institutions in strategically important regions. GopherWhisper’s abuse of legitimate services like Discord, Slack, and Outlook for command and control demonstrates how threat actors are adapting to evade traditional network defences. The use of Go-based malware, which is easily cross-compiled and difficult to analyse, represents an increasingly popular trend among advanced threat actors. For defenders, this case underscores the importance of monitoring traffic to legitimate cloud services for anomalous patterns and maintaining robust endpoint detection capabilities.

Click here for the original article.