Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia

CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE APPLICATION SECURITY VULNERABILITIES & THREATS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia The threat actor gave itself plenty of options to support command and control, tapping Microsoft Outlook, Slack, Discord, and file.io for online espionage. Nate Nelson,Contributing Writer April 23, 2026 4 Min Read SOURCE: TREVOR MOGG VIA ALAMY STOCK PHOTO There's a newly discovered Chinese advanced persistent threat (APT) out in the wild, and it's been targeting the government of Mongolia. The group, "GopherWhisper," is only now being described in public, but it isn't actually new to the cyber threat landscape. Judging by internal chat logs, it's been variously active since November 2023. GopherWhisper won't turn any heads with the sophistication of its attacks. It arguably distinguishes itself only in two respects: by using a gaggle of different backdoors, each of which leverages a different means of command-and-control (C2), and by its heavy focus in a country not often targeted by other cyber threat actors. Researchers at ESET found that it backdoored 12 systems inside of one Mongolian government institution, and evidence suggests that dozens more Mongolian victims may have been impacted too. GopherWhisper's Backdoors On Jan. 2, 2025, ESET researchers discovered two malware samples: a backdoor, "LaxGopher," and its injector, "JabGopher." One might reasonably expect, at that point, that they had a pretty good idea of how this threat actor was attacking its victims. Related:Chinese APT Targets Indian Banks, Korean Policy Circles A few days later, though, through C2 data recovered from LaxGopher, they found a second backdoor, "CompactGopher." A few weeks after than, on Jan. 22, came yet another backdoor, "RatGopher." March 5 unearthed a fourth backdoor, "BoxOfFriends," and its loader, "FriendDelivery." And on March 24, there was "SSLORDoor." Each of these backdoors distinguishes itself in small, technical ways, but the main difference is in what sort of means they use for C2. Each abuses some popular, mainstream cloud-hosted service to send and receive data to targeted machines. LaxGopher uses Slack, RatGopher uses Discord. BoxofFriends manages the same kinds of communications via email drafts in Microsoft Outlook. SSLORDoor doesn't abuse a software-as-a-service (SaaS) platform, and CompactGopher isn't technically a C2 tool, as it only manages file exfiltration via the public file-sharing service file.io. It's unclear why GopherWhisper felt compelled to cook up five different versions of the same basic dish. Doing so might have allowed it to pivot more easily, if any one of its C2 methods were ever discovered or blocked. Perhaps it's also the case that, if you can't build an A-grade spy tool, having a bunch of C-grade options is good enough.  "They are quite productive in the way that they are using a lot of different custom backdoors in a short amount of time," says ESET senior malware researcher Mathieu Tartare. But he qualifies that comment, adding, "I wouldn't say that this is a particularly sophisticated group." Compared with the many other backdoors these days that abuse popular cloud-based services, nothing about GopherWhisper's toolset stands out for being all that impressive. Related:6-Year Ransomware Campaign Targets Turkish Homes & SMBs More to the point, in a presentation at Botconf 2026, ESET malware researcher Eric Howard noted, "Their 'Downloads' directory contains some interesting file names, including 'How to write RATs,' which leads us to believe that these operators might be new to developing malware." The Cyber Threat Landscape in Mongolia Mongolia has the poor fortune of being sandwiched between two of the world's most capable cyber powers. From Tartare's point of view, "In Mongolia we see mostly — I wouldn't say exclusively, but mostly — China-aligned groups targeting organizations. I would say it's necessarily like Ukraine with Russia, but they are quite heavily targeted [by one country]." Some higher-profile cases over time include a RedDelta campaign from 2023 to 2024, an unattributed COVID-related campaign in 2020, and an APT27 (aka Emissary Panda) campaign against a national data center a few years before that. Notably, all three of these campaigns were targeted at the government sector. Related:Fraud Rockets Higher in Mobile-First Latin America As reported by Mongolia's UB Post, however, Mongolian government data suggests that the overwhelming volume of malicious cyber activity in the country comes from Russia, with the US a distant second. Though APT attacks out of Russia are less frequent, in 2023 and 2024, Google researchers found the Russian threat actor APT29 (aka Midnight Blizzard) exploiting Mongolian government websites for watering hole attacks, infecting the devices of passersby with surveillanceware. This isn't to say that Mongolia has only two or three adversaries, either, as it's occasionally swept up in broader espionage campaigns across the Asian continent as well. According to the National Security Council of Mongolia's Institute for Strategic Studies (ISS), an Ulaanbaatar-based government think tank, Mongolia in 2024 recorded 1.6 million total cyberattacks and cyber incidents, 13,061 of which involved cybercrimes, costing $25.4 million in damages. The government has been working in recent years to stem its problem, most notably through a 2021 law on cybersecurity and a National Cyber Security Strategy, approved in January 2023. As one ISS author wrote last year, "Mongolia is trying to keep [up] on global trends of digitalization but our cybersecurity is weighed down by a plethora of challenges, which necessitates massive intervention to unburden. Mongolia has made strides, but cybersecurity threats know no borders." Read more about: DR Global Asia Pacific About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars From AI Hype to Trusted Outcomes: Wolf's New Aurora® Superintelligence Platform and Turnkey Agentic SOC Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 CYBERATTACKS & DATA BREACHES Researcher Says Patched Commvault Bug Still Exploitable by Jai Vijayan, Contributing Writer MAY 06, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST More Webinars White Papers Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Reinventing the SOC with agentic AI Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE