Researchers discovered a previously undocumented China-aligned threat actor, tracked as GopherWhisper, targeting a Mongolian government entity and using legitimate services such as Discord, Slack and Microsoft 365 Outlook to control compromised systems. The attackers deployed a Go-based backdoor called LaxGopher and a suite of tools — including RatGopher, SSLORDoor and CompactGopher — to maintain access and exfiltrate data to File.io, an operation consistent with espionage. #GopherWhisper #LaxGopher
Keypoints
- ESET discovered the GopherWhisper campaign in January 2025 after finding a previously unknown backdoor on a Mongolian government network.
- The group abused legitimate platforms like Discord, Slack and Microsoft 365 Outlook to manage command-and-control and disguise activity.
- Attackers used a Go-based toolset including LaxGopher, RatGopher, BoxOfFriends, JabGopher, FriendDelivery and SSLORDoor to maintain persistence.
- CompactGopher was used to compress and exfiltrate stolen files to the File.io file-sharing service.
- ESET assessed the operation as consistent with cyber espionage, noting dozens of likely additional victims but providing no firm attribution.
Read More: https://therecord.media/china-linked-hackers-target-mongolian-gov-slack-discord