Mongolian governmental institution hit by network compromise
Incident
Summary
Hide ▲
Show ▼
A Mongolian governmental institution was found to have about 12 systems infected by GopherWhisper backdoors, exposing a live government compromise and the potential for wider victim activity. The intrusion was first identified in January 2025 and relied on legitimate services such as Discord and Slack for command-and-control. Telemetry also pointed to dozens of other victims, suggesting the operation extended beyond a single institution.
Related Happenings
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
Campaign
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
How related:
Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper.
About this happening:
The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
CampaignHow related: Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper.
About this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
Dragon Boss Solutions LLC adware malicious update
Malware Activity
First: 16.04.2026 22:07
Last: 16.04.2026 22:07
Sources 1
About this happening:
A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions LLC adware malicious update
Malware ActivityAbout this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions signed adware campaign
Campaign
First: 15.04.2026 20:59
Last: 15.04.2026 20:59
Sources 1
About this happening:
The **Dragon Boss Solutions** campaign used **signed adware installers** to push **SYSTEM-privileged** payloads that disabled antivirus and blocked reinstalls, creating a broad fo...
Dragon Boss Solutions signed adware campaign
CampaignAbout this happening: The **Dragon Boss Solutions** campaign used **signed adware installers** to push **SYSTEM-privileged** payloads that disabled antivirus and blocked reinstalls, creating a broad fo...
Latest development: 16.04.2026 22:07
Dragon Boss Solutions LLC pushed a malicious Advanced Installer update in the early morning hours of March 22, 2025 that disabled ESET, McAfee, Kaspersky, and Malwarebytes detections, established persistence via scheduled tasks, and added Windows Defender exclusions, while Huntress sinkholed the campaign's primary update domain to limit further abuse.
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
Timeline
-
23.04.2026 12:04 1 articles · 1mo ago
BoxOfFriends Outlook account setup
Technical Analysis UpdateBoxOfFriends, a Go-based backdoor that uses the Microsoft Graph API to craft draft emails for command-and-control using hard-coded credentials, had its earliest supporting Outlook account, barrantaya.1010@outlook[.]com, created on July 11, 2024.
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
-
23.04.2026 12:04 2 articles · 1mo ago
ESET discloses GopherWhisper targeting Mongolian government systems
Initial DisclosureESET disclosed that GopherWhisper is a China-aligned APT targeting Mongolian governmental institutions, with telemetry showing about 12 infected systems at one institution and Discord and Slack C&C traffic suggesting dozens of other victims. The same analysis tied the campaign to LaxGopher, RatGopher, CompactGopher, SSLORDoor, FriendDelivery, and BoxOfFriends, and said the group was first discovered in January 2025 after LaxGopher appeared on a system belonging to a Mongolian governmental entity.
Show sources
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors — thehackernews.com — 23.04.2026 12:04
- New GopherWhisper APT group abuses Outlook, Slack, Discord for comms — www.bleepingcomputer.com — 23.04.2026 15:06