GopherWhisper: Deconstructing the New Go-Based APT Targeting Mongolia

Just caught the ESET report on this new cluster, 'GopherWhisper,' hitting Mongolian government networks. It’s fascinating to see the continued shift toward Go (Golang) for APT tooling. The cross-platform compilation benefits and the difficulty in static analysis make it a no-brainer for actors needing to deploy across varied infrastructure quickly.

They’re leveraging a modular approach with custom injectors and loaders. This is significant because Go-based injectors often interact directly with the Windows API via cgo or similar syscall wrappers, which can sometimes bypass older heuristic models that look for standard C-based API call sequences.

For defenders, the sheer size of Go binaries (even stripped ones) can be an initial heuristic for detection, though sophisticated groups are getting better at packing. If you're hunting for this behavior, checking for processes spawned by unusual parents that carry the Go standard library characteristics is a good start. Here’s a basic KQL query to hunt for suspicious Go binaries spawned via common LOLBins:

DeviceProcessEvents
| where FileName endswith ".exe"
| where ProcessCommandLine contains "go-build" or ProcessVersionInfoOriginalFilename contains "go"
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "mshta.exe")
| project DeviceName, FileName, ProcessCommandLine, FolderPath, SHA256


We are also looking at specific process creation patterns where the command line arguments are stripped or randomized to evade logging.

Has anyone else noticed an uptick in Go-based backdoors in their threat feeds recently? The static analysis overhead is becoming a real pain point for my team—are you using specific Ghidra scripts or tools to handle the decompilation of these binaries efficiently?