Perceptive Security
SOC/SIEM Consultancy
China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors
Published:
23 April 2026 at 09:04:00
Alert date:
23 April 2026 at 10:01:03
Source:
thehackernews.com
Ransomware & Malware, Data Breach & Exfiltration, Critical Infrastructure
A previously undocumented China-aligned APT group called GopherWhisper has infected 12 Mongolian government systems. The group uses a wide array of tools mostly written in Go programming language, employing injectors and loaders to deploy and execute various backdoors. This represents a significant targeting of Mongolian governmental institutions by Chinese threat actors using sophisticated Go-based malware arsenal.
Technical details
GopherWhisper is a China-aligned APT group that deploys multiple Go-based backdoors including JabGopher (injector), LaxGopher (Slack C2), CompactGopher (file collection utility), RatGopher (Discord C2), SSLORDoor (C++ backdoor), FriendDelivery (DLL loader), and BoxOfFriends (Microsoft Graph API backdoor). The malware uses legitimate services like Discord, Slack, Microsoft 365 Outlook, and file.io for C2 communication and data exfiltration. CompactGopher filters files by extensions (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, .pptx), compresses them to ZIP, encrypts with AES-CFB-128, and exfiltrates to file.io. Activity patterns align with China Standard Time working hours (8am-5pm).
Mitigation steps:
Affected products:
Discord
Slack
Microsoft 365 Outlook
file.io
Related links:
Related CVE's:
Related threat actors:
IOC's:
barrantaya.1010@outlook[.]com, whisper.dll, file[.]io
This article was created with the assistance of AI technology by Perceptive.