There’s a newly discovered Chinese advanced persistent threat (APT) out in the wild, and it’s been targeting the government of Mongolia.
The group, “GopherWhisper,” is only now being described in public, but it isn’t actually new to the cyber threat landscape. Judging by internal chat logs, it’s been variously active since November 2023.
GopherWhisper won’t turn any heads with the sophistication of its attacks. It arguably distinguishes itself only in two respects: by using a gaggle of different backdoors, each of which leverages a different means of command-and-control (C2), and by its heavy focus in a country not often targeted by other cyber threat actors. Researchers at ESET found that it backdoored 12 systems inside of one Mongolian government institution, and evidence suggests that dozens more Mongolian victims may have been impacted too.
GopherWhisper’s Backdoors
On Jan. 2, 2025, ESET researchers discovered two malware samples: a backdoor, “LaxGopher,” and its injector, “JabGopher.” One might reasonably expect, at that point, that they had a pretty good idea of how this threat actor was attacking its victims.
A few days later, though, through C2 data recovered from LaxGopher, they found a second backdoor, “CompactGopher.” A few weeks after than, on Jan. 22, came yet another backdoor, “RatGopher.” March 5 unearthed a fourth backdoor, “BoxOfFriends,” and its loader, “FriendDelivery.” And on March 24, there was “SSLORDoor.”
Each of these backdoors distinguishes itself in small, technical ways, but the main difference is in what sort of means they use for C2. Each abuses some popular, mainstream cloud-hosted service to send and receive data to targeted machines. LaxGopher uses Slack, RatGopher uses Discord. BoxofFriends manages the same kinds of communications via email drafts in Microsoft Outlook. SSLORDoor doesn’t abuse a software-as-a-service (SaaS) platform, and CompactGopher isn’t technically a C2 tool, as it only manages file exfiltration via the public file-sharing service file.io.
It’s unclear why GopherWhisper felt compelled to cook up five different versions of the same basic dish. Doing so might have allowed it to pivot more easily, if any one of its C2 methods were ever discovered or blocked. Perhaps it’s also the case that, if you can’t build an A-grade spy tool, having a bunch of C-grade options is good enough.
“They are quite productive in the way that they are using a lot of different custom backdoors in a short amount of time,” says ESET senior malware researcher Mathieu Tartare. But he qualifies that comment, adding, “I wouldn’t say that this is a particularly sophisticated group.” Compared with the many other backdoors these days that abuse popular cloud-based services, nothing about GopherWhisper’s toolset stands out for being all that impressive.
More to the point, in a presentation at Botconf 2026, ESET malware researcher Eric Howard noted, “Their ‘Downloads’ directory contains some interesting file names, including ‘How to write RATs,’ which leads us to believe that these operators might be new to developing malware.”
The Cyber Threat Landscape in Mongolia
Mongolia has the poor fortune of being sandwiched between two of the world’s most capable cyber powers.
From Tartare’s point of view, “In Mongolia we see mostly — I wouldn’t say exclusively, but mostly — China-aligned groups targeting organizations. I would say it’s necessarily like Ukraine with Russia, but they are quite heavily targeted [by one country].” Some higher-profile cases over time include a RedDelta campaign from 2023 to 2024, an unattributed COVID-related campaign in 2020, and an APT27 (aka Emissary Panda) campaign against a national data center a few years before that. Notably, all three of these campaigns were targeted at the government sector.
As reported by Mongolia’s UB Post, however, Mongolian government data suggests that the overwhelming volume of malicious cyber activity in the country comes from Russia, with the US a distant second. Though APT attacks out of Russia are less frequent, in 2023 and 2024, Google researchers found the Russian threat actor APT29 (aka Midnight Blizzard) exploiting Mongolian government websites for watering hole attacks, infecting the devices of passersby with surveillanceware. This isn’t to say that Mongolia has only two or three adversaries, either, as it’s occasionally swept up in broader espionage campaigns across the Asian continent as well.
According to the National Security Council of Mongolia’s Institute for Strategic Studies (ISS), an Ulaanbaatar-based government think tank, Mongolia in 2024 recorded 1.6 million total cyberattacks and cyber incidents, 13,061 of which involved cybercrimes, costing $25.4 million in damages. The government has been working in recent years to stem its problem, most notably through a 2021 law on cybersecurity and a National Cyber Security Strategy, approved in January 2023.
As one ISS author wrote last year, “Mongolia is trying to keep [up] on global trends of digitalization but our cybersecurity is weighed down by a plethora of challenges, which necessitates massive intervention to unburden. Mongolia has made strides, but cybersecurity threats know no borders.”
