Write 2 sentences summarizing the content. At the end, add hashtags for specific keywords mentioned in the article—such as names of malware, threat actors, or affected organizations/systems. Avoid general terms like #malware, #ransomware, or #cybersecurity. Use this format: #Keyword1 #Keyword2
Keypoints
- GopherWhisper is a China-linked APT active since at least November 2023 that targeted a Mongolian government organization.
- The group leverages legitimate services for C&C and exfiltration, including Slack, Discord, Microsoft Graph (Outlook drafts), and file.io.
- LaxGopher is a Go-based backdoor using Slack for C&C that can execute commands, exfiltrate data, and fetch additional payloads.
- RatGopher is another Go backdoor that uses Discord for C&C and can upload/download files via file.io.
- Additional tools include JabGopher (injector into svchost), SSLORDoor (OpenSSL BIO raw TCP backdoor), and BoxOfFriends (Microsoft Graph-based backdoor) deployed by the group.