Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GopherWhisper China-aligned APT campaign targeting Mongolian government institutions

Campaign
First reported
Last updated
Happening score
H score 38
2 unique sources, 2 articles

Summary

Hide ▲

The GopherWhisper campaign is a China-aligned APT operation targeting Mongolian governmental institutions, and it now appears to extend beyond a single compromise to dozens of other victims. The activity matters because it combines covert remote execution, file theft, and multi-service command-and-control across legitimate platforms. Investigators linked at least about 12 systems at one government entity to the operation after a new backdoor surfaced in January 2025.

Related Happenings

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Open Happening

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

Open Happening

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

UAT-8302 government-targeting campaign across South America and southeastern Europe

Campaign
First: 05.05.2026 17:19 Last: 05.05.2026 17:19 Sources 1

About this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...

Open Happening

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

Timeline

  1. 23.04.2026 12:04 1 articles · 1mo ago

    BoxOfFriends Outlook account creation

    Technical Analysis Update

    An Outlook account used for BoxOfFriends command-and-control was created on July 11, 2024, marking an early infrastructure milestone for the Go-based backdoor that uses the Microsoft Graph API to craft draft emails with hard-coded credentials.

    Show sources
    Open in new tab
  2. 23.04.2026 12:04 2 articles · 1mo ago

    GopherWhisper disclosure and victim scope

    Initial Disclosure

    On 2026-04-23, ESET disclosed GopherWhisper as a China-aligned APT targeting Mongolian governmental institutions, saying about 12 systems at one institution were infected while Discord and Slack command-and-control traffic indicated dozens of other victims; the group used LaxGopher, JabGopher, CompactGopher, RatGopher, SSLORDoor, FriendDelivery, and BoxOfFriends, and abused Discord, Slack, Microsoft 365 Outlook, Microsoft Graph API, and file[.]io for command-and-control, exfiltration, and remote execution.

    Show sources
    Open in new tab