ESET Research has discovered a new China-aligned APT group that we’ve named GopherWhisper, which targets Mongolian governmental institutions
23 Apr 2026
•
,
6 min. read
ESET researchers have discovered a previously undocumented China-aligned APT group that we named GopherWhisper. The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal. In the observed campaign, the threat actors targeted a governmental entity in Mongolia.
GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command and control (C&C) communication and exfiltration. Crucially, after we identified multiple Slack and Discord API tokens, we managed to extract a large number of C&C messages from those services, which provided us with great insight into the group’s activities.
This blogpost summarizes the findings from our investigation of GopherWhisper’s toolset and C&C traffic, which can be found in our white paper on the topic.
Key points of the blogpost:
- ESET Research uncovered a new China-aligned APT group we’ve named GopherWhisper that targeted a governmental entity in Mongolia.
- The group’s toolset includes custom Go-based backdoors LaxGopher, RatGopher, and BoxOfFriends, the injector JabGopher, the exfiltration tool CompactGopher, the loader FriendDelivery, and the C++ backdoor SSLORDoor.
- GopherWhisper leverages Discord, Slack, Microsoft 365 Outlook, and file.io for C&C communications and exfiltration.
- We analyzed C&C traffic from the attacker’s Slack and Discord channels, gaining information about the group’s internal operations and post-compromise activities.
Backdoors galore
We discovered the group in January 2025, when we found a previously undocumented backdoor, which we named LaxGopher, on the system of a governmental entity in Mongolia. Digging deeper, we managed to uncover several more malicious tools, mainly various backdoors, all deployed by the same group. The majority of these tools, including LaxGopher, are written in Go.
Since the set of malware we found has no code similarities linking it to any known threat actor, and there was no overlap in tactics, techniques, and procedures (TTPs) with any other group, we decided to attribute the tools to a new group. We chose to name it GopherWhisper due to the majority of the group’s tools being written in the Go programming language, which has a gopher as its mascot, and based on the filename whisper.dll, a malicious component that is side-loaded.
The malware we initially discovered consists of the following:
- JabGopher: an injector that executes the LaxGopher backdoor disguised as whisper.dll. It creates a new instance of svchost.exe and injects LaxGopher into the svchost.exe process memory.
- LaxGopher: a Go-based backdoor that interacts with a private Slack server to retrieve C&C messages. It executes commands via cmd.exe and publishes the results back to the Slack channel configured in the code. LaxGopher can also download further malware to the compromised machine.
- CompactGopher: a Go-based file collection tool deployed by operators to quickly compress files from the command line and automatically exfiltrate them to the file.io file sharing service. It is one of the payloads deployed by LaxGopher.
- RatGopher: a Go-based backdoor that interacts with a private Discord server to retrieve C&C messages. On successful execution of a command, the results are published back to the configured Discord channel.
- SSLORDoor: a backdoor built in C++ that uses OpenSSL BIO for communication via raw sockets on port 443. It can enumerate drives, and run commands based on C&C input, mainly related to opening, reading, writing, deleting, and uploading files.
Based on the knowledge we gained during our analysis, we were able to find two additional GopherWhisper tools, which were again deployed against the same Mongolian governmental entity:
- FriendDelivery: a malicious DLL file serving as a loader and injector that executes the BoxOfFriends backdoor.
- BoxOfFriends: a Go-based backdoor that makes use of the Microsoft 365 Outlook mail REST API from Microsoft Graph to create and modify draft email messages for its C&C communications.
A schematic overview of GopherWhisper’s arsenal is provided in Figure 1.
Revealing messages
As mentioned in the introduction, GopherWhisper is characterized by the extensive use of legitimate services such as Slack, Discord, and Outlook for C&C communication. During our investigation, we managed to extract thousands of Slack and Discord messages, as well as several draft email messages from Microsoft Outlook. This gave us great insight into the inner workings of the group.
Timestamp inspection of the Slack and Discord messages showed us that the bulk of them were sent during working hours, i.e. between 8 am and 5 pm, in UTC+8 (see Figure 2 and Figure 3), which aligns with China Standard Time. Furthermore, the locale for the configured user in Slack metadata was also set to this time zone. We therefore believe that GopherWhisper is a China-aligned group.
Based on our investigation, the group’s Slack and Discord servers were first used to test the functionality of the backdoors, and then later, without clearing the logs, also used as C&C servers for the LaxGopher and RatGopher backdoors on multiple compromised machines.
LaxGopher’s Slack channel
The messages we collected revealed that LaxGopher C&C communications were mainly used to send commands for disk and file enumeration.
In addition, several interesting links to GitHub repositories with malicious code were discovered among the Slack messages, as listed in Table 1. Based on the source code of each repository, we assume that these repositories could have been used as a resource for learning and a reference during development.
Table 1. GitHub repositories found within test uploads from operators
RatGopher’s Discord channel
Apart from C&C communication, RatGopher’s Discord channel also contained Go source code that may have been an early iteration of the backdoor.
Additionally, we were able to obtain details about operator machines, since they often used them to run enumeration processes for testing purposes. This showed us, among other things, that an operator used a virtual machine based on VMware, and that the machine had been booted and installed at a time that aligns very nicely with the UTC+8 time zone.
Microsoft 365 Outlook communication
In addition to the Slack and Discord communication, we were also able to extract email messages used for communication between the BoxOfFriends backdoor and its C&C via the Microsoft Graph API. There we noticed that the welcome email message from Microsoft, from when the account was created, had never been deleted. This message confirmed that the account barrantaya.1010@outlook[.]com was created on July 11th, 2024, just 11 days before the creation of the FriendDelivery DLL – the loader used to execute BoxOfFriends – on July 22nd, 2024.
Conclusion
Our investigation into GopherWhisper revealed an APT group that uses a varied toolset of custom loaders, injectors, and backdoors. By analyzing the C&C communications obtained from the attacker-operated Slack and Discord channels, and from draft Outlook email messages, we were able to gain additional information about the group’s inner workings and post-compromise activities.
For a detailed analysis of the toolset and the obtained C&C traffic, read our full white paper.
A comprehensive list of indicators of compromise (IoCs) can be found in the white paper and in our GitHub repository.
