China-Linked GopherWhisper APT Hits 12 Mongolian Gov Systems Using Slack/Discord C2

ESET discovers a new espionage group abusing legitimate cloud services for command-and-control against strategically sensitive Mongolian targets.

ULAN BATOR, MN — Researchers at ESET have uncovered a sophisticated, China-aligned espionage campaign targeting the Mongolian government. The threat actor, dubbed GopherWhisper, has successfully infected at least 12 government systems since late 2023, utilizing a modular arsenal of Go-based malware.

What distinguishes GopherWhisper is its heavy reliance on "Living-off-the-Land" (LotL) cloud techniques. By hijacking legitimate communications platforms like Slack, Discord, and Microsoft 365 Outlook for its command-and-control (C2) infrastructure, the group has effectively bypassed traditional network monitoring that often white-lists these services.

Breach Audit: The GopherWhisper Toolkit

The infection chain typically begins with a specialized injector known as JabGopher, which side-loads the primary payload into legitimate system processes like svchost.exe. Once established, the core backdoor—LaxGopher—takes over operations. LaxGopher is a modular Go-based tool that retrieves instructions via private Slack API tokens and exfiltrates stolen data using the file.io sharing service to avoid raising red flags.

Threat Intelligence: GopherWhisper (Jan 2025 – April 2026)
Audit Detail	Technical Finding
Confirmed Victims	12 Mongolian governmental institutions (ESET telemetry).
C2 Infrastructure	Slack, Discord, Microsoft 365 Outlook, and file.io.
Core Malware	LaxGopher (Backdoor) & JabGopher (Injector).

Geopolitical Context: Mongolia as a High-Value Target

Mongolia sits in a precarious geopolitical position as a landlocked buffer state between Russia and China. As a candidate for a deeper NATO partnership and a nation with significant mineral resources, its government systems are prime targets for nation-state espionage. GopherWhisper follows a long history of China-linked operations in the region, including previous campaigns attributed to Mustang Panda (APT27).

This operation highlights the persistent threat posed by China’s cyber apparatus, which increasingly favors modular, Go-based malware for its cross-platform compatibility and ease of development.

The CyberSignal Analysis

Signal 01 — The Cloud Stealth Advantage

By abusing Slack and Discord, GopherWhisper turns essential business tools into weapons. Security teams often struggle to block this traffic without disrupting legitimate operations. To counter this, organizations must move toward advanced living-off-the-land monitoring that inspects the intent of cloud API calls rather than just the destination.

Signal 02 — The Modular Evolution

The use of the Go programming language allows GopherWhisper to iterate rapidly. Their toolkit includes separate collectors, loaders, and backdoors, making it easier to swap out components if one is detected. This modularity is becoming a hallmark of sophisticated state-sponsored actors seeking long-term persistence in high-value networks.

Sources

Type	Source
Technical Lead	ESET Research: GopherWhisper Analysis
Industry News	The Hacker News: Mongolian Gov Targeted
Strategic Audit	The Record: Slack & Discord Abuse Report

Minimalist white line art of a stylized router silhouette with a white Japanese rising sun icon overlaid on a solid crimson red background.

Tropic Trooper APT Targets Japanese Networks via Router Exploits

China-aligned espionage group G0081 evolves beyond traditional spear-phishing with SOHO router firmware attacks and domain-trust pivoting. TOKYO, JP — The persistent China-aligned threat actor known as Tropic Trooper (G0081) has significantly shifted its operational focus, moving beyond traditional spear-phishing to target Japanese government and critical infrastructure via router exploitation. Recent telemetry

Minimalist white line art of a hospital bed silhouette with a white skull and crossbones icon floating above it, on a solid blood red background.

Idaho Hospital Disrupted on Easter; Blackwater Ransomware Claims 577GB Stolen

Minidoka Memorial Hospital transferred emergency patients after an imaging outage; a new ransomware group demands payment for an alleged 2.3 million files. RUPERT, ID — A quiet Easter morning in rural Idaho was shattered on April 5, 2026, when Minidoka Memorial Hospital (MMH) fell victim to a cyberattack that paralyzed

Minimalist white line art of a military frigate silhouette with a white Bluetooth icon inside a postcard envelope overlaid in the corner, on a solid navy blue background.

$5 Postcard Tracker Compromises $585M Dutch Warship for 24 Hours

Journalist demonstrates naval mail screening flaw by mailing a Bluetooth device to NATO frigate HNLMS Evertsen; envelopes were not X-rayed like standard packages. THE HAGUE, NL — In a staggering demonstration of security asymmetry, a Dutch journalist has exposed a critical physical vulnerability within NATO naval operations. By mailing a $5

Minimalist white line art of a Dutch-style town hall silhouette with a white fingerprint icon overlaid on the center, on a solid orange background.

Personal Data of Entire Dutch Town Stolen in Municipal Cyberattack

The municipality of Epe confirms a massive exfiltration event impacting nearly all 32,000 residents; authorities offer free identity document replacements as theft concerns mount. EPE, NETHERLANDS — The municipality of Epe has officially confirmed that a cyberattack first detected in March 2026 resulted in the theft of personal data belonging