China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors
Mongolian government agencies have emerged as victims of a previously undocumented China-aligned advanced persistent threat (APT) group that has been dubbed The GopherWhisper.
“The group owns a number of tools written in Go, using injectors and loaders to install and use various departments in their environment,” Slovakian cybersecurity firm ESET said in a report shared with Hacker News. “GopherWhisper abuses legitimate services, especially Discord, Slack, Microsoft 365 Outlook, and file.io for communication and control (C&C) and extraction.”
The group was first discovered in January 2025 following the discovery of an unprecedented backdoor called LaxGopher in the Mongolian government’s federal system. Also found as part of the threat actor list are a number of other malware families, many of which were developed using Golang to receive commands from the C&C server, execute them, and send the results back.
Also used by the threat actor is a file collection tool to collect the files of interest and extract them in a compressed file format.[.]An io file sharing service and C++ backdoor that provides remote control over vulnerable hosts.
Telemetry data from ESET shows that around 12 systems associated with a Mongolian government agency were backdoored, with C&C traffic from attacker-controlled Discord and Slack servers pointing to dozens of other victims.
How GopherWhisper first gains access to target networks is currently unknown. But effective stabilization is followed by attempts to install various tools and implants –
- JabGopherinjection that uses LaxGopher (“whisper.dll”) in the background.
- The LaxGophera Go-based backdoor that uses C2’s Slack to execute commands via “cmd.exe” and publish the results back to the Slack channel, as well as download additional malware.
- The CompactGopherthe Go-based file collection utility LaxGopher is used to filter files of interest by extensions (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, and .pptx.), compress to ZIP files, encrypt archives using exfiltrate8, CFB and file[.]io.
- The RatGophera Go-based backdoor that uses a private Discord server to accept C&C messages, issue commands, and publish the results back to a designated Discord channel, as well as upload and download files from a file.[.]io.
- SSLDoora C++-based backdoor that uses OpenSSL BIO to communicate over raw sockets on port 443 to enumerate drives, perform file operations, and run C&C input-based commands via “cmd.exe.”
- FriendDeliverya malicious DLL that acts as a loader and injector for BoxOfFriends.
- BoxOfFriendsa Go-based backdoor that uses the Microsoft Graph API to create C2 draft emails using hard-coded credentials, with the first Outlook account created for this purpose (“barrantaya.1010@outlook[.]com”) was created on July 11, 2024.
“An examination of the timestamp of Slack and Discord messages showed us that the majority of them were sent during business hours, that is, between 8 am and 5 pm, which corresponds to China Standard Time,” said ESET researcher Eric Howard. “Furthermore, the default user location in Slack’s metadata is also set to this time zone. So we believe GopherWhisper is a China-aligned group.”
