**GopherWhisper** has been identified as a China-aligned advanced persistent threat (APT) group actively targeting Mongolian governmental organizations. According to a report by **ESET**, the group employs a wide range of tools, predominantly written in the **Go** programming language, to compromise and exfiltrate data from its victims. ### Modus Operandi **ESET**'s investigation, shared with The Hacker News, reveals that GopherWhisper abuses legitimate services such as **Discord**, **Slack**, **Microsoft 365 Outlook**, and file.io for command-and-control (C&C) communication and data exfiltration. This tactic allows the group to blend in with normal network traffic, making detection more challenging. The group's activity was first detected in January 2025, following the discovery of a new backdoor, **LaxGopher**, on a system within a Mongolian governmental entity. Analysis suggests GopherWhisper has been active since at least November 2023. ### Malware Arsenal GopherWhisper's toolkit includes several custom-built malware families, including: * **JabGopher**: An injector that executes the LaxGopher ("whisper.dll") backdoor. * **LaxGopher**: A Go-based backdoor that uses **Slack** for C2, executing commands via "cmd.exe" and publishing results to the Slack channel. It also downloads additional malware. * **CompactGopher**: A Go-based file collection utility that filters files by extensions (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, and .pptx), compresses them into ZIP files, encrypts the archives using AES-CFB-128, and exfiltrates them to file[.]io. * **RatGopher**: A Go-based backdoor that uses a private **Discord** server for C&C, executing commands and publishing results back to the configured Discord channel. It also supports file uploads and downloads from file[.]io. * **SSLORDoor**: A C++-based backdoor that uses OpenSSL BIO for communication via raw sockets on port 443. It enumerates drives, performs file operations, and runs commands based on C&C input via "cmd.exe." * **FriendDelivery**: A malicious DLL that serves as a loader and injector for **BoxOfFriends**. * **BoxOfFriends**: A Go-based backdoor that uses the **Microsoft Graph API** to craft draft emails for C2 using hard-coded credentials. An early **Outlook** account used for this purpose ("barrantaya.1010@outlook[.]com") was created on July 11, 2024.  ### Attribution While the initial access vector remains unknown, **ESET**'s analysis points towards a China-aligned origin. "Timestamp inspection of the **Slack** and **Discord** messages showed us that the bulk of them were being sent during working hours, i.e., between 8 a.m. and 5 p.m., which aligns with China Standard Time," said **ESET** researcher Eric Howard. "Furthermore, the locale for the configured user in Slack metadata was also set to this time zone. We therefore believe that GopherWhisper is a China-aligned group."