A newly identified advanced persistent threat group, tracked as GopherWhisper, has been linked to a cyber espionage campaign targeting government systems in Mongolia. Security researchers have uncovered a sophisticated toolkit used to infiltrate networks and maintain long-term access.
argeted Government Systems Compromised
According to findings by ESET, at least 12 systems within Mongolian government infrastructure were successfully compromised. Evidence suggests that the campaign may extend further, with additional victims identified through suspicious activity linked to attacker-controlled communication channels.
Discovery of a New Backdoor
The threat group came to light in early 2025 after researchers detected a previously unknown backdoor named LaxGopher. Analysis indicates that the group has likely been active since late 2023, operating quietly while expanding its toolkit.
The attackers rely heavily on malware written in the Go programming language, combined with injectors and loaders to deploy various malicious components across infected systems.
Use of Legitimate Platforms for Command and Control
One of the most notable aspects of this campaign is the abuse of trusted online services for command-and-control communication. The attackers leveraged platforms such as Discord, Slack, and Microsoft 365 Outlook, along with file-sharing services, to send instructions and extract stolen data.
By blending malicious traffic with legitimate services, the group increases its ability to evade detection.
Malware Arsenal and Capabilities
The GopherWhisper toolkit includes multiple specialized components designed for different stages of the attack:
- JabGopher, used to deploy the main backdoor
- LaxGopher, a Go-based backdoor that executes commands and retrieves additional payloads
- CompactGopher, a tool that collects and filters sensitive files before compressing and encrypting them
- RatGopher, another backdoor that communicates through private Discord channels
- SSLORDoor, a C++-based backdoor enabling remote control and system manipulation
- FriendDelivery and BoxOfFriends, which use Microsoft Graph API to exchange commands via draft emails
These tools allow attackers to execute commands, gather data, and maintain persistent access to compromised systems.
Data Exfiltration Techniques
Sensitive files are selectively collected based on file type, including documents, spreadsheets, and presentations. The data is then compressed, encrypted, and exfiltrated through external services, making detection more challenging.
Indicators of China Alignment
Researchers observed that most command-and-control activity occurred during working hours aligned with China Standard Time. Additional clues, such as system configuration settings, further support the assessment that the group is linked to China.
Unknown Initial Access Method
While the exact entry point remains unclear, once attackers gain access, they deploy multiple tools to expand control within the network. This includes executing commands, moving laterally, and establishing persistent communication channels.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
