**GopherWhisper**: A Stealthy New APT on the Block Active since at least 2023, **GopherWhisper** has been linked to China and is estimated to have compromised dozens of victims. The actor's reliance on legitimate communication platforms allows them to blend in with normal network traffic, increasing their stealth and persistence. Targeting Mongolian Government Entities In a campaign identified by cybersecurity company **ESET**, the threat actor targeted a government entity in Mongolia. They deployed a malware suite with multiple backdoors that used **Slack**, **Discord**, and the **Microsoft** Graph API for command-and-control (C2) communication.  Data Exfiltration via File.io **GopherWhisper** also employs a custom exfiltration tool to compress stolen data and upload it to the File.io file-sharing service. This further obscures their activities and complicates forensic analysis. The GopherWhisper Toolkit In January 2025, **ESET** detected the first **GopherWhisper** backdoor, written in Go, and named it LaxGopher. This malware retrieves commands from a private **Slack** server, executes them using the Command Prompt, and downloads new payloads. Further investigation revealed a suite of malicious tools, primarily Go-based: * RatGopher – Go-based backdoor using a private **Discord** server for C2, executing commands and posting results back to a configured channel. * BoxOfFriends – Go-based backdoor leveraging the **Microsoft** 365 **Outlook** (**Microsoft** Graph API) to create and modify draft emails for C2 communication. * SSLORDoor – C++ backdoor using OpenSSL BIO over raw sockets (port 443), capable of executing commands and performing file operations (read, write, delete, upload) and drive enumeration. * JabGopher – Injector that launches svchost.exe and injects the LaxGopher backdoor (disguised as whisper.dll) into its memory. * FriendDelivery – Malicious DLL acting as a loader and injector that executes the BoxOfFriends backdoor. * CompactGopher – Go-based file collection tool that compresses data from the command line and exfiltrates it to the file-sharing service file.io.  *The GopherWhisper toolset. Source: ESET* Accessing Attacker C2 Infrastructure By leveraging hardcoded credentials found within the Go-based backdoors, researchers at **ESET** successfully accessed the attacker's accounts on **Slack**, **Discord**, and **Microsoft Outlook**. This provided invaluable insights into the group's operations, including commands, uploaded files, and experimental activities. Attribution to China **ESET**'s analysis of over 6,000 **Slack** messages and 3,000 **Discord** messages, coupled with metadata from the C2 server, strongly suggests a Chinese origin for **GopherWhisper**. > “Timestamp inspection of these Slack messages showed that the commands were issued between 12 a.m. and 12 p.m. UTC, while Discord message history revealed commands being sent between 12 a.m. and 2 p.m. UTC.” Time zone analysis further reinforced this attribution, with activity concentrated during typical working hours within the UTC+8 time zone. Wider Impact and Indicators of Compromise While **ESET** telemetry data indicates 12 compromised systems within a Mongolian government institution, analysis of C2 traffic suggests "dozens of other victims." Indicators of Compromise (IoCs) are available on **ESET**'s GitHub to help defenders identify and block potential attacks. [GopherWhisper indicators of compromise](http://github.com/eset/malware-ioc/tree/master/gopherwhisper) are available from **ESET** to help defenders identify and block attacks from the new threat cluster. [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)