Chinese APT 'GopherWhisper' Targets Mongolian Government with Cloud-Abusing Backdoors
ESET researchers have uncovered a Chinese APT group, GopherWhisper, that has been targeting the Mongolian government since November 2023 with five distinct backdoors abusing Slack, Discord, and Microsoft Outlook for command-and-control.
ESET researchers have uncovered a Chinese advanced persistent threat (APT) group, dubbed GopherWhisper, that has been systematically targeting the Mongolian government since November 2023. The group deployed five distinct backdoors—LaxGopher, CompactGopher, RatGopher, BoxOfFriends, and SSLORDoor—each abusing different cloud services for command-and-control (C2), including Slack, Discord, and Microsoft Outlook drafts. At least 12 systems in one Mongolian government institution were backdoored, with evidence suggesting dozens more victims.
GopherWhisper's toolset is considered unsophisticated. Internal files found by ESET included a file named "How to write RATs," leading researchers to believe the operators may be novice malware developers. Despite this, the group has been productive, churning out multiple custom backdoors in a short period. Each backdoor leverages a different cloud service for C2: LaxGopherWhisper's backdoors include LaxGopher (Slack), RatGopher (Discord), BoxOfFriends (Microsoft Outlook drafts), and SSLORDoor (no SaaS platform). CompactGopher manages file exfiltration via the public file-sharing service file.io.
The group's heavy focus on Mongolia is notable. Mongolia is sandwiched between two of the world's most capable cyber powers, China and Russia. According to ESET, Mongolia sees mostly China-aligned groups targeting organizations. Previous campaigns include RedDelta (2023–2024), an unattributed COVID-related campaign (2020), and APT27 (Emissary Panda) against a national data center. However, Mongolian government data suggests the overwhelming volume of malicious cyber activity comes from Russia, with the US a distant second.
Mongolia recorded 1.6 million total cyberattacks and cyber incidents in 2024, 13,061 of which involved cybercrimes, costing $25.4 million in damages. The government has been working to stem its problem through a 2021 law on cybersecurity and a National Cyber Security Strategy approved in January 2023. As one ISS author wrote, "Mongolia is trying to keep up on global trends of digitalization but our cybersecurity is weighed down by a plethora of challenges."
The discovery of GopherWhisper highlights the ongoing threat to Mongolia's government sector. While the group's toolset may not be sophisticated, its ability to pivot between multiple cloud-based C2 channels makes it a persistent threat. ESET's findings underscore the need for continued vigilance and investment in cybersecurity defenses in Mongolia.