GopherWhisper: new China-linked APT targets Mongolia with Go-based malware

ESET found a new China-linked APT, tracked as GopherWhisper, targeting Mongolia using Go-based malware, loaders, and backdoors.

ESET researchers uncovered a new China-aligned APT group called GopherWhisper, targeting government institutions in Mongolia. The group’s arsenal includes a range of tools mainly written in Go, such as loaders and injectors, which are used to deploy multiple backdoors. This toolkit allows attackers to maintain access and control over compromised systems, showing a structured and evolving cyber-espionage operation.

ESET uncovered GopherWhisper in January 2025 after finding the LaxGopher backdoor on a Mongolian government system. GopherWhisper uses legitimate platforms like Discord, Slack, Outlook, and file.io for command-and-control and data exfiltration. By finding API tokens, researchers accessed many C&C messages, revealing the group’s activity.

“ESET researchers have discovered a previously undocumented China-aligned APT group that we have
named GopherWhisper. The group wields a wide array of tools mostly written in Go, using injectors and
loaders to deploy and execute various backdoors in its arsenal.” reads the report published by ESET. “For C&C communication and exfiltration, GopherWhisper abuses legitimate services. In the observed campaign, the threat actors mainly targeted a government entity in Mongolia.“

Further analysis revealed a full toolkit of mainly Go-based malware with no links to known groups, leading to the creation of a new attribution. The group deploys multiple backdoors and tools to gain control, execute commands, and steal data. JabGopher injects LaxGopher into svchost.exe, while LaxGopher communicates via Slack, runs commands, and downloads payloads like CompactGopher, which compresses and exfiltrates files. RatGopher uses Discord for command execution, and SSLORDoor handles file operations over encrypted sockets. Additional tools include FriendDelivery, a loader, and BoxOfFriends, which uses Microsoft 365 Outlook APIs for covert command-and-control communication.

Researchers uncovered GopherWhisper’s operations by extracting thousands of messages from Slack, Discord, and Outlook accounts used for command-and-control. Message timestamps showed activity mainly during UTC+8 working hours, suggesting alignment with the Chinese government. Attackers first used these platforms to test malware, then reused them for active operations without clearing logs. Slack communications mainly handled file and disk commands and included links to GitHub code used for development. Discord channels contained early backdoor code and revealed details about operator machines, including a VMware-based setup. Outlook accounts supported covert communication through draft emails, with timelines linking account creation to malware development.

“In addition to the Slack and Discord communication, we were also able to extract email messages used for communication between the BoxOfFriends backdoor and its C&C via the Microsoft Graph API. There we noticed that the welcome email message from Microsoft, from when the account was created, had never been deleted.” continues the report. “This message confirmed that the account barrantaya.1010@outlook[.]com was created on July 11^th, 2024, just 11 days before the creation of the FriendDelivery DLL – the loader used to execute BoxOfFriends – on July 22^nd, 2024.”

ESET researchers discovered about 12 infected systems within a Mongolian government entity and believe dozens more victims exist based on Slack and Discord C&C traffic.

“Our investigation into GopherWhisper revealed an APT group that uses a varied toolset of custom loaders, injectors, and backdoors.” concludes the report. “By analyzing the C&C communications obtained from the attacker-operated Slack and Discord channels, and from draft Outlook email messages, we were able to gain additional information about the group’s inner workings and post-compromise activities.”

More details and IoCs are available in the full white paper and GitHub repository.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)