Key Takeaways
- ESET identified a previously unknown China‑linked APT dubbed GopherWhisper, active since at least November 2023.
- The group employs a suite of custom Go‑ and C++‑based tools that abuse legitimate services (Slack, Discord, file.io, Microsoft Graph/Outlook) for command‑and‑control and data exfiltration.
- Core components include the LaxGopher backdoor (Slack C2), the JabGopher memory injector, CompactGopher file collector, RatGopher (Discord C2), SSLORDoor (raw TCP/OpenSSL), and BoxOfFriends/FriendDelivery (Outlook draft API).
- The toolset was discovered during an investigation of a Mongolian government breach, affecting roughly 12 systems directly and suggesting many more undisclosed victims.
- Because the code, tactics, and targeting show no clear overlap with known APT groups, ESET treats GopherWhisper as a distinct threat actor.
Overview of GopherWhisper’s Discovery and Attribution
ESET’s telemetry first flagged GopherWhisper in January 2025 while analyzing a Go‑based backdoor found on a Mongolian governmental entity’s systems. Timestamp inspection of associated chat messages and emails traced the activity to China, with evidence pointing to operations dating back to at least November 2023. The lack of resemblance in code, tactics, techniques, and procedures (TTPs) to any existing intrusion set led ESET to define a new threat cluster, naming it GopherWhisper and attributing the identified toolset to this group. This determination underscores the importance of linking seemingly unrelated malware families through behavioral and infrastructural analysis rather than relying solely on code similarities.
LaxGopher: Slack‑Based Command‑and‑Control Backdoor
The primary implant uncovered in the Mongolian case is LaxGopher, a Go‑written backdoor that leverages Slack as its C2 channel. After establishing a connection to a hard‑coded Slack workspace via a bot token, LaxGopher can receive commands, execute them through the Windows command prompt, and exfiltrate gathered data back to the same channel. Its capabilities include drive and file enumeration, arbitrary command execution, and the ability to download and run additional payloads. By using a legitimate collaboration platform, the malware blends with normal traffic, reducing the likelihood of detection by conventional network‑based defenses.
JabGopher: Memory‑Resident Injector for LaxGopher
To execute LaxGopher without touching disk, the attackers deploy JabGopher, a specialized injector. JabGopher creates a new instance of the legitimate Windows process svchost.exe and then injects the LaxGopher payload directly into its memory space. This technique, known as process hollowing or reflective DLL injection, allows the backdoor to run under the guise of a trusted system service, evading many endpoint‑protection solutions that monitor for unauthorized executables. The injector’s reliance on a benign system binary further complicates forensic analysis, as malicious activity appears to originate from a standard Windows component.
CompactGopher: Go‑Based File Collector Utilising file.io
Among LaxGopher’s downloadable payloads is CompactGopher, a Go‑crafted file‑gathering tool. CompactGopher scans selected directories, compresses the gathered files into an archive, and uploads the archive to the public file‑sharing service file.io via its REST API. Because file.io offers temporary, link‑based sharing with automatic deletion after a set number of downloads or time period, the exfiltrated data can be retrieved by the attackers while leaving minimal persistent traces on the victim network. The use of a widely‑available, benign file‑sharing platform exemplifies the APT’s strategy of “living off the land” with legitimate internet services.
RatGopher: Discord‑Centric Backdoor
Another component of GopherWhisper’s arsenal is RatGopher, also written in Go but configured to use Discord for C2 communication. Similar to LaxGopher, RatGopher can spawn new command‑prompt instances, execute arbitrary commands, and transfer files to and from file.io. The choice of Discord provides the attackers with an additional, widely trusted channel that is often permitted through corporate firewalls for legitimate collaboration. By maintaining multiple C2 avenues—Slack, Discord, and others—the group enhances resilience; if one platform is blocked or monitored, the others can sustain communication with compromised hosts.
SSLORDoor: C++ Backdoor Leveraging OpenSSL Raw TCP
Diverging from the Go‑based tools, SSLORDoor is a C++ implant that establishes communication over raw TCP sockets secured with the OpenSSL BIO abstraction. This approach enables encrypted, low‑level network traffic that can bypass simple signature‑based detection. SSLORDoor can launch a hidden command‑prompt process, enumerate drives, perform file‑system manipulation (e.g., create, delete, rename files), and initiate additional socket connections for lateral movement or further payload delivery. Its reliance on a well‑known cryptographic library rather than a custom protocol helps the traffic appear as ordinary HTTPS‑like TLS flows, complicating deep‑packet inspection efforts.
BoxOfFriends and FriendDelivery: Outlook/Graph API Abuse
ESET also uncovered two related tools that abuse Microsoft’s cloud services. BoxOfFriends is a Go backdoor that communicates through the Microsoft Graph API, specifically by reading and writing draft messages in a victim’s Outlook mailbox. This method allows the malware to exfiltrate files, open reverse shells, alter network port configurations, and execute attacker‑supplied commands—all while appearing as routine email activity. Complementing BoxOfFriends, FriendDelivery is a DLL injector tasked with loading the BoxOfFriends payload into a legitimate process, thereby stealthily establishing the backdoor’s presence. The combination showcases GopherWhisper’s proficiency in exploiting widely‑used enterprise collaboration and productivity platforms for persistent, covert operations.
Victim Scope, Attribution Significance, and Closing Remarks
In the Mongolian government intrusion, ESET observed that roughly 12 systems were directly infected with the GopherWhisper toolset. However, the telemetry and overlapping indicators suggest that dozens of additional entities may have been compromised, either by the same campaign or by similar Tactics leveraging legitimate services. The novelty of GopherWhisper lies not in any single innovative technique but in the eclectic blend of benign services—Slack, Discord, file.io, Microsoft Graph/Outlook, and raw TLS‑encrypted TCP—for C2, data staging, and payload delivery. This heterogeneity frustrates defenses that rely on monitoring a narrow set of known malicious indicators. By classifying the activity as a new APT, ESET highlights the need for defenders to adopt behavior‑based detection, monitor anomalous usage of legitimate cloud and collaboration APIs, and enforce strict least‑privilege access to reduce the attack surface available to such stealthy, service‑abusing adversaries.