ESET researchers have identified a new China-aligned APT group dubbed GopherWhisper, which has been targeting governmental entities in Mongolia. The group primarily uses custom malware written in the Go programming language, employing a sophisticated arsenal of injectors, loaders, and backdoors including LaxGopher, RatGopher, and BoxOfFriends.
A distinctive feature of GopherWhisper is its reliance on legitimate cloud services like Slack, Discord, Microsoft 365 Outlook, and file.io for command-and-control (C&C) communications and data exfiltration. By extracting thousands of messages from these platforms, researchers gained unprecedented insight into the group's operations, confirming their alignment with China Standard Time based on activity patterns.