GopherWhisper APT Targets Mongolia Using Cloud Tools for Espionage

GopherWhisper APT Targets Mongolia Using Cloud Tools for Espionage

First seen 24 Apr 2026, 07:55 UTC Feeds2.FeedburnerDarkreadingwww.recordedfuture.comresearch.checkpoint.comsecurelist.com+3 86% similarity 60.0

Article Content

Browse articles
ThreatCluster

The Chinese APT group known as GopherWhisper has been identified as targeting the Mongolian government using multiple cloud-based tools for espionage. Active since November 2023, the group has backdoored at least 12 systems within a Mongolian governmental entity, with indications that dozens more may be affected. ESET researchers discovered various backdoors, including LaxGopher, JabGopher, CompactGopher, RatGopher, BoxOfFriends, and SSLORDoor, each utilizing different command-and-control (C2) methods. These methods include leveraging Slack, Discord, Microsoft Outlook, and file.io for data exfiltration and communication. The sophistication of GopherWhisper's attacks is considered low, as they rely on a variety of less advanced tools rather than a single sophisticated exploit. The ongoing investigation highlights the group's unique focus on a region not typically targeted by other APTs. Current assessments suggest that while the group is active, the threat level remains moderate due to the lack of advanced attack techniques.

Key Points: • GopherWhisper APT has targeted Mongolian government systems since late 2023. • The group uses multiple cloud services for command-and-control operations. • At least 12 systems have been compromised, with potential for more victims.

ThreatCluster AI

Timeline

2023-11-01
GopherWhisper APT begins operations targeting Mongolia.
2025-01-02
ESET discovers LaxGopher and JabGopher malware samples.
2025-01-22
Discovery of the RatGopher backdoor.
2025-03-05
BoxOfFriends backdoor and its loader identified.
2025-03-24
SSLORDoor backdoor discovered.
2026-04-23
GopherWhisper publicly identified in cybersecurity news.

Community

Browse all →