Back to Intelligence

GopherWhisper APT: Detecting Go-Based Loaders and Injectors in Government Networks

SA
Security Arsenal Team
April 23, 2026
6 min read

A previously undocumented Advanced Persistent Threat (APT) group, tracked as GopherWhisper, has actively compromised at least 12 systems within Mongolian governmental institutions. attributed to China-aligned actors, this campaign highlights a continued trend toward leveraging cross-platform languages like Go (Golang) to evade traditional detection mechanisms.

The threat actor utilizes a sophisticated arsenal of tools written in Go, specifically focusing on injectors and loaders designed to deploy unauthorized access mechanisms (backdoors). Given the targeting profile—governmental institutions—and the nature of the payload, the primary objective is likely espionage and long-term persistence. Security teams must immediately shift their focus to identifying unsigned Go binaries and anomalous process injection behaviors indicative of this intrusion set.

Technical Analysis

Threat Actor: GopherWhisper (China-aligned) Target: Mongolian Government Institutions Tools & Tactics:

  • Language: The majority of the malware toolset is written in Go. This allows the threat actor to compile binaries for multiple architectures (Windows, Linux) and makes static analysis more difficult due to the language's complexity and standard library inclusion.
  • Injection/Loading: The group employs custom injectors and loaders. This suggests a focus on process hollowing or DLL injection to hide malicious code within legitimate system processes (e.g., explorer.exe, svchost.exe), thereby bypassing application whitelisting controls.
  • Payload: The ultimate goal is the deployment of "unauthorized access mechanisms," likely custom Remote Access Trojans (RATs) or webshells used for C2 and lateral movement.

Exploitation Status: Confirmed Active Exploitation. ESET has verified infections in the wild.

Why This Matters

Go-based binaries are often statically linked, resulting in larger file sizes. However, they are frequently unsigned or signed with fraudulent certificates. The use of loaders indicates that the initial access vector (likely phishing or web exploitation) leads to a staged payload where the loader fetches or decrypts the final implant. Defenders relying solely on signature-based antivirus are likely blind to these threats if the hashes are novel.

Detection & Response

The following detection logic is designed to identify the specific TTPs associated with GopherWhisper: unsigned Go binaries, process injection activity, and suspicious loader execution.

Sigma Rules

YAML
---
title: GopherWhisper - Suspicious Unsigned Go Binary Execution
id: 8a4b2c1d-5e6f-4a3b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the execution of unsigned binaries compiled with Go, often indicative of GopherWhisper tooling. Looks for processes lacking company signatures or exhibiting Go build artifacts.
references:
  - https://www.welivesecurity.com/2026/04/06/gopherwhisper-apt-mongolia/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '.exe'
    Company|contains:
      - '' # Detects empty Company fields common in custom malware
  filter_legit_go:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
    Signed: true
  condition: selection and not filter_legit_go
falsepositives:
  - Legitimate administrative tools written in Go
level: high
---
title: GopherWhisper - Process Injection via Windows API Calls
id: 9b5c3d2e-6f7a-5b4c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects suspicious API call sequences often used by custom injectors to deploy unauthorized access mechanisms.
references:
  - https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
  - attack.t1055
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'VirtualAllocEx'
      - 'WriteProcessMemory'
      - 'CreateRemoteThread'
  condition: selection
falsepositives:
  - Legitimate debugging tools (rare in user context)
level: high
---
title: GopherWhisper - Suspicious Loader in User Directory
id: 0c6d4e3f-7a8b-6c5d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects execution of binaries from User Profile directories (Downloads, AppData) characteristic of dropper/loader activity.
references:
  - https://attack.mitre.org/techniques/T1547/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1566
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\Users\'
      - '\AppData\Local\Temp\'
      - '\Downloads\'
    Image|endswith:
      - '.exe'
  condition: selection
falsepositives:
  - Software installers run by users
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for processes created by common office applications (initial access) that are unsigned Go binaries, a hallmark of the GopherWhisper loader.

KQL — Microsoft Sentinel / Defender
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "msedge.exe", "chrome.exe"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ (SuspiciousParents)
// Filter for executables
| where FileName endswith ".exe"
// Check for unsigned or suspicious files
| where IsSigned == false or SigningStatus != "Valid"
// Golang binaries often have high entropy and are large; this looks for anomalies in file size logic or just flag the unsigned activity
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, SHA256, FileSize
| order by Timestamp desc

Velociraptor VQL

The following VQL artifact hunts for suspicious Go binaries running in memory. Go binaries often have specific characteristics in their module lists or lack standard DLL dependencies associated with compiled C/C++ apps.

VQL — Velociraptor
-- Hunt for processes with suspicious characteristics consistent with Go-based malware
SELECT Pid, Name, Exe, CommandLine, Username, StartTime
FROM pslist()
-- Filter for unsigned binaries running from user directories
WHERE Exe =~ 'C:\\Users\\.*\\AppData\\.*\\.*.exe'
   OR Exe =~ 'C:\\Users\\.*\\Downloads\\.*.exe'
-- Exclude known legitimate paths to reduce noise (adjust based on environment)
AND NOT Exe =~ 'C:\\Program Files\\.*'
AND NOT Exe =~ 'C:\\Windows\\System32\\.*'

Remediation Script (PowerShell)

This script scans for the presence of suspicious, recently created executables in common user directories and checks for the specific "Go" artifact in file version info where applicable.

PowerShell
<#
    .SYNOPSIS
    Hunt for GopherWhisper Indicators of Compromise
    .DESCRIPTION
    Scans user directories for unsigned executables created in the last 30 days.
#>

$DateThreshold = (Get-Date).AddDays(-30)
$PathsToScan = @("C:\Users\", "C:\ProgramData\")

Write-Host "[+] Scanning for unsigned executables modified after $DateThreshold..." -ForegroundColor Cyan

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -Include *.exe -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -gt $DateThreshold } | 
        ForEach-Object {
            $FilePath = $_.FullName
            # Check Signature
            $Signature = Get-AuthenticodeSignature -FilePath $FilePath
            
            # GopherWhisper tools are typically unsigned or invalidly signed
            if ($Signature.Status -ne "Valid") {
                # Check Version Info for Go hints (sometimes present)
                try {
                    $VersionInfo = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($FilePath)
                    if ($VersionInfo.CompanyName -eq "" -or $VersionInfo.OriginalFilename -like "*go*" -or $VersionInfo.FileDescription -eq "") {
                        Write-Host "[!] Suspicious unsigned file found: $FilePath" -ForegroundColor Red
                        Write-Host "    - Size: $($_.Length) bytes"
                        Write-Host "    - Modified: $($_.LastWriteTime)"
                    }
                } catch {
                    # Ignore errors reading version info
                }
            }
        }
    }
}

Remediation

1. Isolation and Containment: Immediately isolate affected systems from the network. GopherWhisper uses unauthorized access mechanisms, implying an active C2 channel. Network segmentation is critical to prevent lateral movement to other government systems.

2. System Reimaging: Due to the use of injectors and loaders, simple malware removal is insufficient. The threat actor likely has multiple persistence mechanisms. Perform a complete wipe and reimage of the 12 confirmed infected systems and any other systems showing signs of compromise (IOC matches).

3. Credential Reset: Assume credential theft. Force a reset of all privileged credentials and user accounts that have logged into the infected systems within the last 90 days.

4. Network Blocking: Identify and block the C2 infrastructure associated with GopherWhisper. While specific IPs were not published in the summary, use ESET's latest threat intelligence feed to update firewall blocklists immediately.

5. Code Signing Enforcement: Implement application whitelisting (e.g., AppLocker or WDAC) policies that restrict the execution of unsigned binaries in user-writable directories (%AppData%, %Temp%, Downloads). This directly mitigates the loader delivery method.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectiongopherwhispergolang-malwareapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action