InfoSec Briefing - April 25, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Saturday, April 25, 2026. We're covering 2 articles today. All attribution is by the article authors. All article analysis is automated.

CISA has added a critical vulnerability to its Known Exploited Vulnerabilities catalog affecting the Marimo Python notebook server. The flaw allows unauthenticated attackers to execute arbitrary system commands through an unprotected terminal WebSocket endpoint, and threat actors are already deploying NKAbuse backdoor variants against internet-facing AI and machine learning developer environments within just 10 hours of disclosure. Organizations must immediately upgrade to Marimo version 0.23.0 or later and block access to the vulnerable endpoint at the firewall level.

ESET Research has identified GopherWhisper, a newly discovered China-aligned advanced persistent threat group targeting governmental institutions in Mongolia. The group employs a diverse toolkit primarily written in Go and cleverly abuses legitimate services including Discord, Slack, Microsoft 365 Outlook, and file dot i o for command and control communication and data exfiltration, making detection significantly more challenging.

That concludes today's briefing.

📰 Articles Covered

CVE-2026-39987 - CISA KEV

**CVE-2026-39987** is a critical pre-authentication **remote code execution (RCE)** vulnerability affecting the **Marimo Python notebook platform** .

**What the vulnerability allows attackers to do:**
The vulnerability allows attackers to execute arbitrary code remotely on affected systems . Specifically, it targets the terminal WebSocket endpoint `/terminal/ws` .

**Exploitation against internet-facing applications:**
This vulnerability is being actively exploited, with attackers rapidly targeting the Marimo platform to deploy backdoors . The exploitation is occurring against AI/ML developer environments .

**Known threat actors or campaigns:**
Threat actors are exploiting this vulnerability to deploy a new variant of the **NKAbuse backdoor**, which is hosted on Hugging Face Spaces .

**Affected versions:**
The vulnerability affects versions of Marimo **prior to 0.23.0** .

**Defender recommendations:**
Given the rapid exploitation of this vulnerability, organizations must prioritize **real-time threat intelligence integration** and implement fixes and patches promptly . It is critical to address this vulnerability immediately due to its pre-authentication nature and the speed at which it has been weaponized .
GopherWhisper: A burrow full of malware - ESET Research

**GopherWhisper** is a newly identified China-aligned Advanced Persistent Threat (APT) group that has been observed targeting a **governmental institution in Mongolia** 【1】. The group utilizes a diverse toolkit, primarily written in the Go programming language, to deploy various backdoors and execute malicious activities 【1】.

**What Happened:**
The GopherWhisper group has been actively targeting Mongolian governmental institutions. Their operations involve using a range of custom tools to gain access, maintain persistence, and exfiltrate data. A key aspect of their operation is the abuse of legitimate services for command and control (C&C) communication and data exfiltration 【1】.

**Who is Affected:**
The primary targets identified are **governmental institutions in Mongolia** 【1】.

**Security Implications:**
The use of legitimate services like Discord, Slack, Microsoft 365 Outlook, and file.io for C&C communication and exfiltration makes GopherWhisper's activities harder to detect and block. This sophisticated approach allows them to blend in with normal network traffic, posing a significant threat to the targeted entities. The group's ability to deploy various backdoors and download further malware indicates a capability for persistent and deep compromise 【1】.

**Technical Details:**
GopherWhisper employs a variety of malware, including:
* **JabGopher:** An injector that deploys the LaxGopher backdoor by injecting it into the `svchost.exe` process 【1】.
* **LaxGopher:** A Go-based backdoor that communicates with a private Slack server for C&C, executes commands via `cmd.exe`, and can download additional malware 【1】.
* **CompactGopher:** A Go-based tool for compressing and exfiltrating files to file.io 【1】.
* **RatGopher:** A Go-based backdoor that uses Discord for C&C communication 【1】.
* **SSLORDoor:** A C++ backdoor that uses OpenSSL BIO for raw socket communication on port 443, capable of enumerating drives and executing commands 【1】.
* **FriendDelivery:** A loader/injector DLL that executes the BoxOfFriends backdoor 【1】.
* **BoxOfFriends:** A Go-based backdoor that leverages the Microsoft 365 Outlook mail REST API (Microsoft Graph) for C&C, by creating and modifying draft emails 【1】.

Timestamp analysis of C&C messages aligns with China Standard Time (UTC+8), suggesting the group's origin 【1】.

**What Defenders Should Know:**
Defenders should be aware of GopherWhisper's tactics, techniques, and procedures (TTPs), particularly their reliance on legitimate cloud services for C&C and exfiltration. Monitoring network traffic for unusual activity related to Slack, Discord, Microsoft 365, and file.io could be crucial. Implementing robust endpoint detection and response (EDR) solutions and maintaining up-to-date threat intelligence are essential. A comprehensive list of indicators of compromise (IoCs) is available in ESET's white paper and GitHub repository 【1】.