A360
Key Takeaways✦ Atlas AI
01
A new cyber espionage group, active since November 2023, breached a Mongolian government entity, deploying a novel backdoor called LaxGopher to exfiltrate data and maintain persistent access.
02
The attackers leveraged common communication platforms like Discord and Slack for command and control, a tactic that significantly complicates detection and attribution due to their legitimate use.
03
The use of custom Go-based tools for various malicious functions and a dedicated exfiltration tool highlights the sophisticated and targeted nature of this state-linked cyber espionage operation.
Atlas AI
A previously unidentified cyber threat actor has compromised a Mongolian government entity in an operation investigators said has been active since at least November 2023. The intrusion involved a newly identified backdoor, called LaxGopher, and a set of custom tools designed to keep long-term access while moving data out of the network.
Investigators found LaxGopher installed on about a dozen systems inside the affected government institution. They said the malware enabled data exfiltration and helped the attackers maintain persistent access, indicating an operation focused on ongoing collection rather than short-term disruption.
LaxGopher backdoor found on about a dozen systems
According to investigators, LaxGopher functioned as a backdoor that supported both continued presence and the removal of information from the compromised environment. The discovery of the tool on roughly 12 systems suggests the actor established multiple footholds within the institution.
ATLAS SIGNAL│Cybersecurity│High│1–3 months
23d
Rise of New State-Sponsored Cyber Espionage Tools Targets Government Systems
The discovery of the previously unidentified LaxGopher backdoor targeting the Mongolian government since November 2023 highlights the continuous development and deployment of new, sophisticated tools by state-sponsored actors to conduct cyber espionage against national governments. This trend underscores an escalating international cybersecurity threat landscape, where nations constantly face evolving methods of data exfiltration and persistent network intrusion.
1 story
The attackers also relied on custom tooling, with investigators noting that the tools were primarily written in Go. These tools were used for tasks including loading, injecting, and backdooring systems, pointing to a tailored toolkit built to support the campaign’s objectives.
Discord, Slack, and Microsoft 365 Outlook used for control
Investigators said the group used widely available communication platforms for command and control, including Discord, Slack, and Microsoft 365 Outlook. Using legitimate services in this way can allow malicious traffic to blend into normal activity, making suspicious behavior harder to spot in routine monitoring.
They said the operation used a dedicated exfiltration tool to move stolen information out of the network. The data was compressed and then uploaded to a file-sharing service, a workflow that can reduce transfer size and help standardize how information is staged before being sent out.
Tactics align with cyber espionage, attribution remains difficult
Investigators assessed that the tactics, techniques, and procedures observed in the intrusion are consistent with cyber espionage. The focus on persistence, the use of a backdoor, and the structured approach to data theft were cited as indicators of an intelligence-gathering effort.
At the same time, investigators said the use of legitimate services for covert communications complicates both detection and attribution. Because these platforms are commonly used in normal work environments, separating malicious control traffic from routine activity can be challenging, and linking the operation to a specific sponsor may remain uncertain based on the available details.
