China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors
ESET has uncovered a China-aligned APT group, GopherWhisper, that has compromised at least 12 Mongolian government systems using a suite of Go-based backdoors that abuse legitimate services like Discord and Slack for command-and-control.
ESET has disclosed a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper, which has been targeting Mongolian governmental institutions since at least November 2023. The group employs a diverse arsenal of tools, primarily written in Go, to compromise and maintain persistence on victim systems. According to ESET's report, GopherWhisper abuses legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C2) communication and data exfiltration, making its malicious traffic blend in with normal business use.
The group was first identified in January 2025 after ESET discovered a novel backdoor named LaxGopher on a system belonging to a Mongolian government entity. LaxGopher is a Go-based backdoor that uses Slack for C2, executing commands via cmd.exe and publishing results back to a Slack channel. It also downloads additional malware. Another key tool is RatGopher, a Go-based backdoor that leverages a private Discord server for C2, executing commands and exfiltrating files to file.io. ESET's telemetry indicates that approximately 12 systems within the Mongolian governmental institution were infected, with C2 traffic from attacker-controlled Discord and Slack servers suggesting dozens more victims beyond those directly observed.
The GopherWhisper toolkit includes several other components. JabGopher is an injector that executes the LaxGopher backdoor (named "whisper.dll"). CompactGopher is a Go-based file collection utility that filters files by extensions (such as .doc, .pdf, .xls), compresses them into ZIP archives, encrypts them using AES-CFB-128, and exfiltrates them to file.io. SSLORDoor is a C++ backdoor that uses OpenSSL BIO for communication over raw sockets on port 443, enabling drive enumeration, file operations, and command execution. FriendDelivery is a malicious DLL that acts as a loader for BoxOfFriends, a Go-based backdoor that uses the Microsoft Graph API to craft draft emails for C2, with the earliest Outlook account created for this purpose dating to July 11, 2024.
ESET researchers noted that the timing of Slack and Discord messages indicated the bulk of activity occurred during working hours between 8 a.m. and 5 p.m., aligning with China Standard Time. Additionally, the locale configured in Slack metadata was set to this time zone, leading ESET to assess with high confidence that GopherWhisper is a China-aligned group. The initial access vector remains unknown, but once a foothold is established, the group deploys a wide range of implants to maintain control and exfiltrate sensitive data.
The discovery of GopherWhisper highlights the ongoing cyber espionage activities targeting government entities in Mongolia, likely for geopolitical intelligence gathering. The abuse of widely used cloud services for C2 and exfiltration makes detection challenging, as traffic to platforms like Discord and Slack is often permitted by default in corporate environments. Organizations are advised to monitor for anomalous use of these services and implement strict application control policies to mitigate such threats.