China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors

Published:

23 april 2026 om 09:04:00

Alert date:

23 april 2026 om 10:01:03

Source:

thehackernews.com

Ransomware & Malware, Data Breach & Exfiltration, Critical Infrastructure

A previously undocumented China-aligned APT group called GopherWhisper has infected 12 Mongolian government systems. The group uses a wide array of tools mostly written in Go programming language, employing injectors and loaders to deploy and execute various backdoors. This represents a significant targeting of Mongolian governmental institutions by Chinese threat actors using sophisticated Go-based malware arsenal.

Technical details

GopherWhisper is a China-aligned APT group that deploys multiple Go-based backdoors including JabGopher (injector), LaxGopher (Slack C2), CompactGopher (file collection utility), RatGopher (Discord C2), SSLORDoor (C++ backdoor), FriendDelivery (DLL loader), and BoxOfFriends (Microsoft Graph API backdoor). The malware uses legitimate services like Discord, Slack, Microsoft 365 Outlook, and file.io for C2 communication and data exfiltration. CompactGopher filters files by extensions (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, .pptx), compresses them to ZIP, encrypts with AES-CFB-128, and exfiltrates to file.io. Activity patterns align with China Standard Time working hours (8am-5pm).

Mitigation steps:

Affected products:

Discord
Slack
Microsoft 365 Outlook
file.io