Mongolian governmental institutions were targeted by a previously undocumented China-aligned APT tracked as GopherWhisper, which deployed a diverse toolkit of mostly Go-written backdoors, injectors, and loaders. The actor abused legitimate services including Discord, Slack, Microsoft 365 Outlook, and file[.]io for command-and-control and exfiltration, with telemetry showing about a dozen confirmed infections and activity timed to China Standard Time. #GopherWhisper #LaxGopher
Keypoints
- GopherWhisper targeted Mongolian government networks.
- The group uses multiple Go-based implants such as LaxGopher, RatGopher, and CompactGopher.
- Command-and-control and exfiltration leveraged Discord, Slack, Microsoft 365 Outlook, and file[.]io.
- Loaders and injectors include JabGopher and FriendDelivery, while SSLORDoor provides a C++ remote-access backdoor.
- Telemetry shows about 12 infected systems and activity aligned with China Standard Time, though initial access methods remain unknown.
Read More: https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html