China-Linked GopherWhisper APT Targets Mongolian Government via Slack, Discord

/MEDIUM
Written by SCW Research Research & Analysis
SCW threat-inteldata-breachgovernmentmalware
China-Linked GopherWhisper APT Targets Mongolian Government via Slack, Discord

A China-linked advanced persistent threat (APT) group, dubbed GopherWhisper by ESET researchers, has been actively targeting the Mongolian government. The group, operational since at least November 2023, was first identified in January 2025 after a previously unknown backdoor surfaced on a Mongolian government institution’s network, according to The Record by Recorded Future.

What makes this campaign notable is GopherWhisper’s exfiltration strategy. The Record by Recorded Future highlights the group’s use of legitimate communication platforms like Slack and Discord for covert command-and-control (C2) and data egress. This tactic allows them to blend malicious traffic with legitimate network activity, making detection significantly harder for traditional security tools.

This isn’t just about Mongolia. It’s a clear signal that state-sponsored actors are increasingly leveraging mainstream collaboration tools to evade detection. For defenders, relying solely on perimeter defenses is a losing battle when attackers are operating within trusted applications.

What This Means For You

  • If your organization uses Slack or Discord, you need to elevate your monitoring for anomalous activity within these platforms. Don't assume traffic to these legitimate services is benign. Review your security policies regarding unapproved third-party applications and ensure robust logging and behavioral analytics are in place for all collaboration tools. This means looking for unusual data transfers, suspicious user activity, and unapproved integrations.
🛡️ Am I exposed to this? Check if Mongolian government impacts your environment — get SIEM detection rules instantly

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1071.004 Command and Control

GopherWhisper APT - Slack/Discord C2 Communication

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Written by SCW Research

Take action on this incident
📡 Monitor gov.mn Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Mongolian government All breaches, IOCs & vendor exposure

Related Posts

Checkmarx KICS Supply Chain Compromise Exposes Developer Data

BleepingComputer reports a supply chain attack targeting Checkmarx KICS, a popular static analysis tool. Adversaries compromised Docker images and Visual Studio Code extensions associated with...

threat-inteldata-breachmalwaretools
/SCW Research /HIGH /⚙ 3 Sigma

Bitwarden CLI Compromised in Checkmarx Supply Chain Attack

The Hacker News reports that the Bitwarden command-line interface (CLI) has been compromised. This incident is part of an ongoing supply chain campaign initially identified...

threat-intelvulnerability
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma

House Republicans Unveil Federal Data Privacy Bill, Threatening State Laws

House Republicans have introduced the SECURE Data Act, a federal data privacy bill that, if passed, would override existing state-level data protection measures. The proposed...

threat-inteldata-breachgovernment
/SCW Research /MEDIUM