GopherWhisper and Hexagonal Rodent activity
- ESET said on April 22 it uncovered a previously undocumented China-aligned group, GopherWhisper, after finding Go-based backdoors and loaders inside a Mongolian government institution it had monitored since January 2025. - Expel said on April 22 that North Korea-linked HexagonalRodent targeted Web3 developers with fake job tests, AI-built lures, and malware that exposed up to $12 million in crypto wallets in three months. - Both reports show state-linked operators mixing espionage and developer-targeting tradecraft while abusing trusted platforms like Slack, Discord, Outlook, and Visual Studio Code. (eset.com) (expel.com)
A backdoor is a hidden way back into a computer, like a spare key left under a mat, and two new reports say state-linked groups are planting those keys in very different places. (eset.com) (expel.com) ESET said on April 22 that it discovered a previously undocumented China-aligned espionage group it calls GopherWhisper after finding a backdoor named LaxGopher in a Mongolian government system in January 2025. (eset.com) The company said GopherWhisper used mostly Go-written tools, plus a C++ backdoor, injectors, exfiltration utilities, and a loader called FriendDelivery to keep access inside that institution. (eset.com) ESET said the operators routed command-and-control traffic and data theft through Discord, Slack, Microsoft 365 Outlook, and file.io, turning common workplace services into covert channels. (eset.com) A supply-chain lure works differently: instead of breaking into one government network, attackers hide malicious code in a tool or code sample that developers are invited to trust and run. (expel.com) Expel said on April 22 that a North Korea-linked group it tracks as HexagonalRodent focused on Web3 developers, using fake recruiters, sham company sites, and coding tests booby-trapped to run malware through Visual Studio Code task settings. (expel.com) Expel said the group leaned heavily on ChatGPT and Cursor to write malware, build spoofed websites, and generate fake executive profiles, then used malware families including BeaverTail, OtterCookie, and InvisibleFerret on infected systems. (expel.com) The firm said HexagonalRodent exposed data from 26,584 cryptocurrency wallets across 2,726 infected developer systems in three months, putting as much as $12 million in digital assets at risk. (expel.com) Expel also said the group carried out its first supply-chain attack by compromising the fast-draft Visual Studio Code extension, widening distribution beyond one-to-one recruiter messages. (expel.com) The two campaigns point in different directions at once: GopherWhisper stayed inside Mongolian government systems for intelligence collection, while HexagonalRodent chased developers and crypto wallets with recruitment scams and poisoned code. (eset.com) (expel.com) In both cases, the attackers hid behind familiar software and routine work: chat apps for one campaign, job tests and developer tools for the other. (eset.com) (expel.com)
