GopherWhisper APT compromises Mongolian government systems with Go-based backdoors via Discord, Slack, and Office 365

First reported

23.04.2026 12:04

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A previously undocumented China-aligned APT group named GopherWhisper has compromised at least 12 systems across Mongolian governmental institutions using a suite of Go-based backdoors and loaders. The threat actor abuses legitimate services—Discord, Slack, Microsoft 365 Outlook, and file.io—for command-and-control (C2) communications and data exfiltration. Initial access vectors remain undisclosed, but post-compromise activity includes lateral movement, data collection, and persistent remote access. Operational activity aligns with China Standard Time, with C2 traffic primarily occurring during standard working hours, suggesting human operator involvement.

Timeline

23.04.2026 12:04 1 articles · 2h ago

GopherWhisper APT compromises 12 Mongolian government systems with Go-based backdoors via cloud services
ESET identifies a China-aligned APT group, GopherWhisper, compromising at least 12 systems across Mongolian governmental institutions starting January 2025. The threat actor deploys a suite of Go-based backdoors (e.g., LaxGopher, RatGopher, CompactGopher) and a C++ backdoor (SSLORDoor) for persistent access, lateral movement, and data exfiltration. Abuse of legitimate services—Discord, Slack, Microsoft 365 Outlook, and file.io—facilitates C2 and exfiltration. BoxOfFriends uses Outlook’s Microsoft Graph API with hard-coded credentials for C2, while CompactGopher gathers and exfiltrates files encrypted with AES-CFB-128. Telemetry indicates dozens of additional potential victims, with C2 activity aligning with China Standard Time working hours.
Show sources

China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
Open in new tab

Information Snippets

GopherWhisper is a newly identified APT group aligned with China, first observed in January 2025 targeting Mongolian government systems.
First reported: 23.04.2026 12:04

1 source, 1 article
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
At least 12 Mongolian governmental systems were confirmed compromised by ESET telemetry, with dozens more potential victims indicated by C2 traffic.
First reported: 23.04.2026 12:04

1 source, 1 article
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
The group’s toolset includes multiple Go-based backdoors (LaxGopher, RatGopher, CompactGopher, BoxOfFriends) and a C++ backdoor (SSLORDoor).
First reported: 23.04.2026 12:04

1 source, 1 article
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
Legitimate services abused for C2 and exfiltration include Discord, Slack, Microsoft 365 Outlook (via Microsoft Graph API), and file.io.
First reported: 23.04.2026 12:04

1 source, 1 article
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
LaxGopher backdoor uses Slack for C2, executes commands via cmd.exe, and exfiltrates results back to Slack channels.
First reported: 23.04.2026 12:04

1 source, 1 article
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
CompactGopher collects files by extension (e.g., .doc, .xlsx, .pdf), compresses them using AES-CFB-128, and exfiltrates to file.io.
First reported: 23.04.2026 12:04

1 source, 1 article
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
BoxOfFriends leverages the Microsoft Graph API to create Outlook draft emails for C2 using hard-coded credentials tied to an account created on July 11, 2024 ([email protected]).
First reported: 23.04.2026 12:04

1 source, 1 article
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
SSLORDoor is a C++ backdoor that communicates over raw sockets on port 443 using OpenSSL BIO, enabling drive enumeration, file operations, and command execution.
First reported: 23.04.2026 12:04

1 source, 1 article
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
C2 activity timestamps indicate alignment with China Standard Time (8 a.m.–5 p.m. CST), with Slack metadata locale configured accordingly.
First reported: 23.04.2026 12:04

1 source, 1 article
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04

Summary

Timeline

GopherWhisper APT compromises 12 Mongolian government systems with Go-based backdoors via cloud services

Information Snippets