{"id":235059,"date":"2026-04-23T05:04:00","date_gmt":"2026-04-23T09:04:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/23\/china-linked-gopherwhisper-infects-12-mongolian-government-systems-with-go-backdoors\/"},"modified":"2026-04-24T06:30:11","modified_gmt":"2026-04-24T10:30:11","slug":"china-linked-gopherwhisper-infects-12-mongolian-government-systems-with-go-backdoors","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/23\/china-linked-gopherwhisper-infects-12-mongolian-government-systems-with-go-backdoors\/","title":{"rendered":"China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors"},"content":{"rendered":"

China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/04\/china-linked-gopherwhisper-infects-12.html<\/a><\/p>\n

Publish Date: 2026-04-23 05:04:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Apr 23, 2026<\/span><\/span>Threat Intelligence \/ Malware<\/span><\/p>\n

Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper<\/strong>.<\/p>\n

“The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal,” Slovakian cybersecurity company ESET said in a report shared with The Hacker News. “GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C&C) communication and exfiltration.”<\/p>\n

The group was first discovered in January 2025 following the discovery of a never-before-seen backdoor codenamed LaxGopher on a system belonging to a Mongolian governmental entity. GopherWhisper is assessed to be active at least since November 2023. Besides LaxGopher, some of the other malware families part of the threat actor’s arsenal are Golang-based tools to receive instructions from the C&C server, execute them, and send the results back.<\/p>\n

Also used by the threat actor is a file collection tool to gather files of interest and exfiltrate them in compressed format to the file[.]io file sharing service and a C++ backdoor that offers remote control over compromised hosts.<\/p>\n

Telemetry data from ESET shows that about 12 systems associated with the Mongolian governmental institution were infected by the backdoors, with C&C traffic from the attacker-controlled Discord and Slack servers indicating dozens of other victims.<\/p>\n

\"\"<\/p>\n

Exactly how GopherWhisper obtains initial access to the target networks is currently not known. But a successful foothold is followed by attempts to deploy a wide range of tools and implants –<\/p>\n