Mongolian government agencies have emerged as targets of a previously undocumented China-aligned Advanced Persistent Threat (APT) group tracked as GopherWhisper.
“The group leverages a wide range of tools, primarily written in Go, and uses injectors and loaders to deploy and execute various backdoors in its arsenal,” Slovak cybersecurity firm ESET said in a report shared with The Hacker News. “GopherWhisper exploits legitimate services, particularly Discord, Slack, Microsoft 365 Outlook, and file.io, for command and control (C&C) communications and theft.”
The group was first discovered in January 2025 following the discovery of an unprecedented backdoor codenamed LaxGopher on systems belonging to a Mongolian government agency. Many other malware families have also been discovered as part of threat actors’ arsenals. These malware families are primarily developed using Golang to receive instructions from a C&C server, execute them, and send results back.
Threat actors also use file harvesting tools that collect files of interest and extract them into files in a compressed format.[.]io A C++ backdoor that provides file sharing services and remote control of compromised hosts.
ESET telemetry data indicates that around a dozen systems associated with Mongolian government agencies were infected with the backdoor, and there are dozens of other victims with C&C traffic from attacker-controlled Discord and Slack servers.
It is currently unclear exactly how GopherWhisper gains initial access to the target network. However, successful scaffolds are followed by attempts to introduce different tools and implants.
JabGopher, an injector that runs the LaxGopher (‘whisper.dll’) backdoor. LaxGopher is a Go-based backdoor that uses Slack for C2 to execute commands via “cmd.exe”, publish results to a Slack channel, and download additional malware. CompactGopher is a Go-based file collection utility dropped by LaxGopher that filters the files of interest by extension (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, and .pptx), compresses them into ZIP files, encrypts the archive using AES-CFB-128, and extracts it to a file.[.]Io. RatGopher is a Go-based backdoor that uses a private Discord server to receive C&C messages, execute commands, publish results to configured Discord channels, and upload and download files from files.[.]Io. SSLORDoor is a C++-based backdoor that uses OpenSSL BIO for communication over raw sockets on port 443 to enumerate drives, perform file operations, and execute commands based on C&C input via ‘cmd.exe’. FriendDeliver is a malicious DLL that acts as a loader and injector for BoxOfFriends. BoxOfFriends is a Go-based backdoor that uses the Microsoft Graph API to create draft emails for C2 with hard-coded credentials, and the oldest Outlook account created for this purpose (‘barrantaya.1010@outlook’)[.]com”) Created on July 11, 2024.
“When we examined timestamps on Slack and Discord messages, we found that the majority of messages were sent during business hours, between 8am and 5pm, coinciding with China Standard Time,” ESET researcher Eric Howard said. “Additionally, the user’s locale set in Slack metadata was also set to this time zone. Therefore, GopherWhisper appears to be a pro-China group.”
Source link
