A newly discovered Chinese APT, dubbed GopherWhisper, has been observed targeting the government of Mongolia, with activity dating back to November 2023 according to researchers. ESET notes that it backdoored 12 systems inside one Mongolian government institution, with evidence suggesting dozens more could have been impacted. The group uses a suite of backdoors—LaxGopher, JabGopher, CompactGopher, RatGopher, BoxOfFriends, FriendDelivery, and SSLORDoor—each exploiting different cloud-based C2 channels.
LaxGopher and RatGopher communicate via Slack and Discord, BoxOfFriends via Microsoft Outlook draft emails, while CompactGopher handles file exfiltration and SSLORDoor operates through another cloud method. The campaign has been marked by multiple staggered malware discoveries from early January 2025, including the backdoors and their injectors identified on January 2, 2025, with subsequent findings on January 22, March 5 and March 24.
According to Mongolia’s National Security Council’s Institute for Strategic Studies, Mongolia reported 1.6 million total cyberattacks and cyber incidents in 2024, costing $25.4 million, with a substantial share attributed to Russian and China-aligned activity in the region.