A Mongolian government agency has been targeted by a newly identified advanced persistent threat (APT) group known as GopherWhisper, reportedly linked to China. The cyber attackers utilize a suite of tools primarily developed in the Go programming language, employing injectors and loaders to deploy various backdoor applications, according to a report by Slovak cybersecurity firm ESET.
Methods and Tools Employed by GopherWhisper
GopherWhisper exploits legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C&C) operations and data exfiltration. The group was first detected in January 2025 after the discovery of a new backdoor, named LaxGopher, within a Mongolian government system. This discovery also revealed other malware families, mostly Go-based, designed to receive and execute commands from C&C servers, then return the results.
The threat actor employs a file collection tool to gather and compress files of interest, which are then exfiltrated using the file.io service. Additionally, a C++ backdoor allows remote control over infected hosts. ESET’s telemetry data indicates that around 12 Mongolian government systems have been compromised, with C&C traffic suggesting many more potential victims.
Unraveling GopherWhisper’s Intrusion Tactics
Despite the effectiveness of GopherWhisper’s operations, the initial method used to infiltrate target networks remains unclear. Following a successful infiltration, the attackers deploy multiple tools and implants, such as JabGopher, which executes the LaxGopher backdoor, and CompactGopher, which collects and processes files based on specific extensions.
Other tools in the group’s arsenal include RatGopher, a backdoor that uses a private Discord server for communication, and SSLORDoor, a C++ backdoor leveraging OpenSSL for secure data transactions. FriendDelivery acts as a loader and injector for the BoxOfFriends backdoor, using Microsoft Graph API to manage C2 operations.
Analysis and Implications of the Cyber Attack
The investigation into GopherWhisper’s activities revealed that communications through Slack and Discord predominantly occurred during China’s working hours, suggesting the group’s geographical alignment. Furthermore, the Slack metadata indicated a locale consistent with China Standard Time, supporting the hypothesis of the group’s Chinese affiliation.
This attack underscores the evolving sophistication of cyber threats targeting government entities, emphasizing the need for vigilant cybersecurity measures. As organizations continue to face such advanced threats, understanding the tactics, techniques, and procedures of groups like GopherWhisper becomes crucial.
Looking ahead, cybersecurity experts anticipate that the strategies and technologies employed by APT groups will continue to advance, necessitating ongoing vigilance and adaptation in defensive measures. The implications of GopherWhisper’s activities serve as a stark reminder of the persistent and evolving nature of cyber threats.
