THE Hacker News reports that a China-aligned advanced persistent threat group tracked as GopherWhisper has infected 12 Mongolian government systems with Go-based backdoors, according to ESET. The attackers are said to wield a wide array of Golang tools, including injectors and loaders that deploy backdoors such as LaxGopher, which is connected to the whisper[.]dll backdoor, and JabGopher, an injector used to run it.
Among the tools discovered are CompactGopher, a file collection utility that compresses and exfiltrates data to file[.]io, and RatGopher, a backdoor that uses a private Discord server for command-and-control. The campaign also includes BoxOfFriends and FriendDelivery, with BoxOfFriends using the Microsoft Graph API to craft draft emails, and the earliest Outlook account created for this purpose on 11 July 2024.
Telemetry shows that around 12 systems were infected, with C2 traffic observed on Discord and Slack indicating additional victims. The report notes that how the attackers initially gained access remains unknown, but that once footholds are established they deploy a wide range of implants to exfiltrate data and receive instructions from C2 servers.