ESET discloses GopherWhisper APT Mongolia

<query>web_search: "ESET GopherWhisper APT Mongolia"</query> <query>web_search: "ESET Research GopherWhisper malware LaxGopher RatGopher JabGopher"</query> <query>web_search: "GopherWhisper China-aligned APT targeting Mongolia"</query> 1/ ESET Research on Wednesday disclosed GopherWhisper, a China-aligned advanced persistent threat (APT) group targeting Mongolian government institutions. The group deploys custom malware written in Go, including families named LaxGopher, RatGopher, and JabGopher. ESET tracked the activity from mid-2023 through early 2026. 2/ GopherWhisper's toolkit exploits legitimate SaaS platforms for command-and-control (C2) communications, blending into normal traffic. Specific tools include Slack for exfiltration via webhook abuse, Discord for reverse shells, and Microsoft 365 for data staging. This "living off the cloud" tactic evades traditional network defenses. 3/ LaxGopher, the most prevalent implant, uses Go's net/http package for C2 over HTTP/HTTPS. It supports 18 commands, from screenshots and keylogging to clipboard theft and system enumeration. ESET first spotted it in June 2023 targeting a Mongolian government entity. 4/ RatGopher acts as a loader, injecting shellcode into memory for modularity. It fetches payloads from Microsoft OneDrive and establishes persistence via scheduled tasks. JabGopher, the newest variant spotted in 2026, focuses on credential dumping and lateral movement using tools like Mimikatz. 5/ Targets include at least eight Mongolian government agencies, such as the Prime Minister's Office, Ministry of Foreign Affairs, and National Police. ESET attributes the operations to China-aligned actors based on infrastructure overlaps with groups like BlackTech and infrastructure reuse patterns. No public attribution to a specific Chinese state organ. 6/ Why Mongolia? Geopolitics play a role. Mongolia shares a border with China and maintains close economic ties while balancing relations with Russia and the West. ESET notes espionage aligns with interests in regional stability, mining resources, and Belt and Road Initiative projects. Similar tactics appear in campaigns against other neighbors. 7/ Detection relies on behavioral indicators: unusual SaaS API calls, Go binaries with embedded C2 domains, and anomalous scheduled tasks. ESET's YARA rules for LaxGopher are public on GitHub. Organizations using these platforms should monitor for abuse patterns like high-volume webhooks or unexpected OneDrive downloads. 8/ ESET recommends network segmentation for government SaaS usage, behavioral analytics on cloud APIs, and hunting for Go-based implants via memory forensics. The report includes IOCs like C2 domains (e.g., graphupdates[.]space) and hashes for over 20 samples. Full technical breakdown at the link below. 9/ This fits a trend of APTs leveraging trusted cloud services for stealth. Similar to UNC5174's use of GitHub or North Korea's Discord abuse. GopherWhisper's Go focus highlights the language's rise in malware dev for cross-platform compatibility. 10/ ESET's disclosure dropped May 20, 2026. Check their WeLiveSecurity blog for updates. Mongolian entities and regional orgs should prioritize patching and IOC scans.