Go, Whisper, Gone: China-Linked Hackers Breach Mongolian Government with Stealthy Go Malware

On a cold morning in January 2025, Mongolian government networks stirred with silent activity - yet no alarms blared. Behind the scenes, a sophisticated China-aligned hacking group was already inside, quietly siphoning sensitive files and executing commands under the noses of officials. The culprit: a previously unknown threat actor dubbed “GopherWhisper,” whose weapon of choice is a suite of custom malware written in the unconventional Go programming language.

Inside the Go Underground

ESET researchers first stumbled upon GopherWhisper in early 2025 after discovering the “LaxGopher” backdoor on a Mongolian government machine. Unlike most malware, which is typically written in C or Python, GopherWhisper’s toolkit is almost entirely built in Go - a language prized for its cross-platform capabilities and ability to evade some traditional detection methods.

The group’s tactics are as modern as they are insidious. Instead of setting up bespoke infrastructure, GopherWhisper leverages legitimate cloud services as their command center. Slack channels, Discord servers, and even Microsoft Outlook draft folders become covert conduits for remote commands and stolen data. Their malware family includes:

• LaxGopher: A Go-based backdoor using Slack for instructions and exfiltration.
• RatGopher: Communicates with Discord to execute commands and manage files.
• CompactGopher: Filters, compresses, encrypts, and uploads sensitive documents to file-sharing sites.
• SSLORDoor: A C++ implant using encrypted sockets to execute remote commands.
• BoxOfFriends: Exploits Microsoft Graph API to use Outlook drafts for clandestine messaging.

Once inside, these implants can enumerate drives, run Windows commands, collect documents, and upload them - often encrypted - to platforms like file.io. The attackers have even devised injectors (like JabGopher and FriendDelivery) to quietly load their payloads.

Forensic analysis revealed a telling clue: most hacker activity occurred between 8 a.m. and 5 p.m. China Standard Time, and metadata in Slack confirmed the locale. This, coupled with the advanced nature of the tools, points to a well-resourced, China-aligned espionage operation.

The initial entry point remains a mystery, but the scope and sophistication of GopherWhisper’s campaign should set off alarm bells for governments everywhere.

Conclusion

GopherWhisper’s campaign is a stark reminder of how modern cyber-espionage blends technical innovation with everyday technology. By hiding in plain sight - abusing trusted cloud apps and leveraging a lesser-known programming language - this group has raised the bar for stealthy state-backed attacks. As governments scramble to defend their digital borders, the question is no longer if they’ll be targeted, but whether they’ll notice before it’s too late.

WIKICROOK

• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Loader/Injector: A loader/injector is malware that loads or inserts additional malicious code into a system’s memory, enabling further attacks and evasion.
• Exfiltration: Exfiltration is the unauthorized transfer of sensitive data from a victim’s network to an external system controlled by attackers.
• Golang (Go): Golang (Go) is a portable, efficient programming language, widely used for modern software and increasingly favored by malware authors for cross-platform attacks.