Researchers disclosed a Chinese APT called GopherWhisper that has been active since November 2023 and is targeting Mongolian government institutions, with ESET finding multiple backdoored systems. The group uses a variety of custom backdoors—LaxGopher, RatGopher, BoxOfFriends, CompactGopher, and SSLORDoor—that abuse mainstream cloud services for C2, indicating prolific but not highly sophisticated development. #GopherWhisper #Mongolia
Keypoints
- GopherWhisper is a China-aligned APT active since November 2023 targeting Mongolian government networks.
- ESET discovered at least five distinct backdoors and associated loaders used by the group.
- Each backdoor leverages different C2 channels, abusing services like Slack, Discord, Outlook drafts, and file.io for communications and exfiltration.
- ESET found 12 backdoored systems in one Mongolian government institution, with evidence of dozens more victims.
- Researchers describe the operators as prolific but not especially sophisticated, with signs they may be relatively new to malware development.
Read More: https://www.darkreading.com/cyberattacks-data-breaches/chinese-apt-abuses-cloud-tools-spy-mongolia