A previously undocumented China-aligned hacking group called GopherWhisper has targeted Mongolian governmental institutions and infected about 12 systems, according to a technical analysis from ESET.
KEY FACTS
- Target Mongolian governmental institutions were identified as the main victims.
- Infection count ESET said telemetry showed about 12 infected systems, with signs of dozens of other victims.
- Activity window The group is assessed to have been active since at least November 2023.
- Tooling The arsenal includes Go-based backdoors, injectors, loaders and a C++ remote access tool.
- Exfiltration Compromised files were compressed, encrypted and sent to file.io.
The group was first identified in January 2025 after researchers found a new backdoor, LaxGopher, on a Mongolian government system. The report says the attackers use legitimate services such as Discord, Slack, Microsoft 365 Outlook and file.io for command-and-control and data theft.
GopherWhisper’s tools include JabGopher, which loads LaxGopher, and CompactGopher, which collects documents and images before packing them into ZIP archives and encrypting them with AES-CFB-128. Other malware described in the report includes RatGopher, SSLORDoor, FriendDelivery and BoxOfFriends, which uses the Microsoft Graph API to create draft emails for command traffic.
Initial access to the networks remains unknown. ESET said timestamps on Slack and Discord messages placed most activity between 8 a.m. and 5 p.m. and matched China Standard Time, along with Slack locale data, leading it to assess that the group is China-aligned.
The disclosure also said the earliest Outlook account used for the email-based backdoor was created on July 11, 2024. The report did not say how the victims were first compromised or whether the intrusion set has been disrupted.
WHY IT MATTERS
The findings show how state-linked operators can blend into normal business traffic by abusing widely used cloud and messaging services for control and data theft. That makes detection harder for government networks and raises the risk of longer, quieter intrusions.