Full Report
Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper. "The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal," Slovakian cybersecurity company ESET said in a report shared with The Hacker
Analysis Summary
# Threat Actor: GopherWhisper
## Attribution & Identity
* **Actor Name:** GopherWhisper
* **Attribution:** China-aligned Advanced Persistent Threat (APT) group.
* **Identification Basis:** Attribution is based on working hour patterns (8 a.m. to 5 p.m.) and Slack metadata locale settings that align specifically with China Standard Time (CST).
* **Known Associations:** Currently tracked as a previously undocumented, independent cluster first discovered in January 2025.
## Activity Summary
* **Timeline:** Active since at least July 2024 (based on account creation dates); discovered by ESET in January 2025.
* **Campaign:** A targeted operation against Mongolian government infrastructure involving the infection of at least 12 specific systems, with potential for dozens more.
* **Operations:** The group utilizes a suite of Go-based malware to establish long-term persistence and exfiltrate sensitive government data.
## Tactics, Techniques & Procedures
* **Execution through LOLBins:** Abuses `cmd.exe` for command execution on compromised hosts.
* **Living-off-Trusted-Services (LoTS):** Abuses legitimate cloud platforms (Discord, Slack, Microsoft 365, file.io) for Command & Control (C2) and data exfiltration.
* **Steganography/Packaging:** Compresses collected data into ZIP archives and encrypts them using AES-CFB-128 before exfiltration.
* **Malware Sideloading/Injection:** Uses dedicated loaders (JabGopher, FriendDelivery) to inject backdoors into memory.
* **C2 via Legitimate APIs:** Uses Microsoft Graph API to communicate via draft emails in Outlook.
**MITRE ATT&CK Mapping (Inferred):**
* **T1102:** Web Service (C2 via Discord, Slack, file.io)
* **T1560:** Archive Collected Data (ZIP compression)
* **T1059.003:** Command and Scripting Interpreter: Windows Command Shell
* **T1071.001:** Application Layer Protocol: Web Protocols (C2 via Microsoft Graph API)
* **T1056:** Input Capture (File collection by extension)
## Targeting
* **Sectors:** Mongolian governmental institutions.
* **Geography:** Mongolia.
* **Victims:** At least 12 systems within Mongolian government entities; Discord/Slack telemetry suggests dozens of broader global victims.
## Tools & Infrastructure
### Malware Families:
* **LaxGopher:** Go-based backdoor using Slack for C2.
* **JabGopher:** Injector for LaxGopher.
* **CompactGopher:** Go-based file collection tool targeting specific extensions (.doc, .pdf, .xls, etc.).
* **RatGopher:** Go-based backdoor using private Discord servers for C2.
* **SSLORDoor:** C++ backdoor using OpenSSL BIO for raw socket communication on port 443.
* **FriendDelivery:** DLL-based loader/injector.
* **BoxOfFriends:** Go-based backdoor using Microsoft Graph API for C2.
### Infrastructure:
* **C2 Services:** Discord, Slack, Microsoft 365 Outlook.
* **Exfiltration:** file[.]io.
* **Suspect Accounts:** barrantaya.1010@outlook[.]com.
## Implications
GopherWhisper represents a sophisticated shift towards the use of the Go programming language to create cross-platform, modular toolsets that are harder to signature than traditional C++ malware. Their heavy reliance on "Living-off-Trusted-Services" (LoTS) makes their C2 traffic appear legitimate, significantly increasing the difficulty of detection for standard network monitoring tools. The focus on Mongolian government targets suggests a strategic interest in regional geopolitics aligned with Chinese state interests.
## Mitigations
* **Cloud Service Monitoring:** Implement rigorous monitoring for unauthorized use of Slack, Discord, and file-sharing services (file.io) within corporate/government networks.
* **API Security:** Monitor for unusual Microsoft Graph API calls, particularly those originating from non-standard processes or creating draft emails.
* **File Integrity:** Deploy EDR solutions capable of detecting memory injection and unusual `cmd.exe` child process spawning.
* **Egress Filtering:** Restrict internal systems from reaching common file-sharing sites unless explicitly required for business operations.
* **Extension-based Alerts:** Monitor for mass file collection and encryption activities involving common document formats (.docx, .pdf, .xlsx).