China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors

Staff Editor 2026-04-23
China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors

China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors

https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html

Publish Date: 2026-04-23 05:04:00

Source Domain: thehackernews.com

Ravie LakshmananApr 23, 2026Threat Intelligence / Malware

Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper.

“The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal,” Slovakian cybersecurity company ESET said in a report shared with The Hacker News. “GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C&C) communication and exfiltration.”

The group was first discovered in January 2025 following the discovery of a never-before-seen backdoor codenamed LaxGopher on a system belonging to a Mongolian governmental entity. GopherWhisper is assessed to be active at least since November 2023. Besides LaxGopher, some of the other malware families part of the threat actor’s arsenal are Golang-based tools to receive instructions from the C&C server, execute them, and send the results back.

Also used by the threat actor is a file collection tool to gather files of interest and exfiltrate them in compressed format to the file[.]io file sharing service and a C++ backdoor that offers remote control over compromised hosts.

Telemetry data from ESET shows that about 12 systems associated with the Mongolian governmental institution were infected by the backdoors, with C&C traffic from the attacker-controlled Discord and Slack servers indicating dozens of other victims.

Exactly how GopherWhisper obtains initial access to the target networks is currently not known. But a successful foothold is followed by attempts to deploy a wide range of tools and implants –

  • JabGopher, an injector that executes the LaxGopher (“whisper.dll”) backdoor.
  • LaxGopher, a Go-based backdoor that uses Slack for C2 to execute commands via “cmd.exe” and publish the results back to the Slack channel, as well as download…

Source

More Stories

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Staff Editor 2026-06-07
DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

Staff Editor 2026-06-07
Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy