GopherWhisper: New China-Aligned APT Group Targets Mongolian Government with Go-Based Malware
ESET researchers have uncovered a previously undocumented China-aligned APT group, GopherWhisper, which uses a suite of custom Go-based backdoors to target a Mongolian governmental entity.
ESET researchers have discovered a new China-aligned advanced persistent threat (APT) group, dubbed GopherWhisper, that has been targeting a governmental entity in Mongolia. The group employs a diverse arsenal of custom malware, primarily written in the Go programming language, to conduct, to conduct espionage and data exfiltration operations. GopherWhisper's distinctive approach includes the abuse of legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C2) communication and data exfiltration.
The group's toolset includes several backdoors and supporting utilities. LaxGopher is a Go-based backdoor that communicates via a private Slack server to receive commands and exfiltrate results. RatGopher similarly uses a private Discord server for C2. BoxOfFriends leverages the Microsoft 365 Outlook mail REST API to create and modify draft emails for stealthy communication. An injector called JabGopher executes LaxGopher by injecting it into a legitimate svchost.exe process, while CompactGopher is a file collection and exfiltration tool that uploads compressed data to file.io. FriendDelivery serves as a loader for BoxOfFriends, and SSLORDoor is a C++ backdoor using OpenSSL for raw socket communication on port 443.
ESET researchers discovered the group in January 2025 after finding the LaxGopher backdoor on a Mongolian government system. Further investigation revealed the full suite of tools, which showed no code similarities or TTP overlaps with any known threat actor, leading to the attribution to a new group. The name GopherWhisper was chosen due to the prevalence of Go-based tools (the Go mascot is a gopher) and the filename whisper.dll, a malicious component used in the attack.
A critical aspect of the investigation was the extraction of thousands of C2 messages from the attacker's Slack and Discord channels. By obtaining API tokens, ESET researchers gained unprecedented insight into the group's internal operations and post-compromise activities. Timestamp analysis of these messages showed that the bulk of communications occurred during working hours in the UTC+8 time zone UTC+8, aligning with China Standard Time, further supporting the attribution to a China-aligned group.
The C2 messages revealed that the group used the Slack and Discord servers initially for testing backdoor functionality and later for live operations on multiple compromised machines. Commands included disk and file enumeration, and the messages also contained links to GitHub repositories hosting malicious code. This level of visibility into the attacker's infrastructure is rare and provides valuable intelligence for defenders.
The discovery of GopherWhisper highlights the ongoing threat posed by state-sponsored APT groups targeting government entities in Asia. The group's reliance on legitimate cloud services for C2 makes detection more challenging, as traffic blends with normal business communications. ESET has published a detailed white paper on the group's toolset and C2 traffic, providing indicators of compromise and detection guidance for organizations.