A newly identified China-aligned advanced persistent threat group, GopherWhisper, has been linked to a sophisticated cyber espionage campaign targeting Mongolian government systems. The operation highlights the increasing complexity of state-backed cyberattacks, with attackers deploying multiple malware tools and leveraging legitimate platforms to evade detection.
According to cybersecurity researchers, the group infected 12 systems associated with a Mongolian governmental institution, using a range of custom-built backdoors primarily written in the Go programming language. The campaign was first uncovered in January 2025 following the discovery of a previously unknown backdoor named LaxGopher, which played a central role in the attack chain.
One of the most notable aspects of the operation is the use of widely trusted services such as Slack, Discord, Microsoft 365 Outlook, and file-sharing platforms for command-and-control communication and data exfiltration. By abusing legitimate services, the attackers were able to blend malicious activity with normal network traffic, making detection significantly more challenging for security teams.
The threat group deployed a diverse toolkit that included multiple malware variants such as LaxGopher, RatGopher, CompactGopher, and SSLORDoor. These tools enabled attackers to execute commands remotely, collect sensitive files, compress and encrypt data, and exfiltrate it to external servers. Some components also allowed persistent access and lateral movement within compromised networks.
Researchers noted that the attackers used injectors and loaders to deploy these backdoors, ensuring a stealthy and layered infection process. In addition, certain malware variants leveraged APIs and encrypted communication channels to further obscure their activity, indicating a high level of sophistication and planning behind the campaign.
While the initial access vector remains unknown, analysis of operational patterns suggests links to China, including activity timestamps aligning with China Standard Time. The campaign is believed to have been active since at least November 2023, with evidence pointing to additional victims beyond the confirmed Mongolian targets.
The GopherWhisper campaign underscores a broader trend in cyber espionage, where threat actors increasingly rely on legitimate cloud services and modular malware frameworks to conduct stealthy and persistent operations. As such tactics continue to evolve, organizations are being urged to strengthen monitoring capabilities and adopt advanced threat detection strategies to defend against similar attacks.
