Ethical Hacking News
A previously undocumented China-aligned advanced persistent threat group, tracked as GopherWhisper, has infected 12 systems associated with Mongolian governmental institutions. The group employs a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors. GopherWhisper's modus operandi involves abusing legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control communication and exfiltration. With C&C traffic indicating dozens of other victims, this APT group marks a significant development in the ongoing struggle against cyber threats.
GopherWhisper, a China-aligned advanced persistent threat (APT) group, has infected 12 systems associated with Mongolian governmental institutions. The group uses a wide array of tools mostly written in Go to deploy and execute various backdoors. GopherWhisper employs several backdoors, including JabGopher, LaxGopher, CompactGopher, RatGopher, SSLORDoor, FriendDelivery, and BoxOfFriends. The group abususes legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C&C) communication and exfiltration. GopherWhisper's activities suggest a China-aligned operation, with C&C traffic sent during working hours aligned with China Standard Time. The group's modus operandi involves deploying a range of tools to execute various commands and exfiltrate sensitive information.
In a significant development that has left cybersecurity experts and researchers scrambling to understand its implications, a previously undocumented China-aligned advanced persistent threat (APT) group, tracked as GopherWhisper, has been discovered to have infected 12 systems associated with Mongolian governmental institutions. According to a report shared by Slovakian cybersecurity company ESET, the group was first identified in January 2025 following the discovery of a never-before-seen backdoor codenamed LaxGopher on a system belonging to a Mongolian governmental entity.
Further investigation by ESET revealed that GopherWhisper employs a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal. These backdoors include JabGopher, an injector that executes the LaxGopher ("whisper.dll") backdoor; LaxGopher itself, a Go-based backdoor that uses Slack for C2 to execute commands via "cmd.exe" and publish the results back to the Slack channel, as well as download additional malware; CompactGopher, a Go-based file collection utility dropped by LaxGopher to filter files of interest by extensions (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, and .pptx.), compress them into ZIP files, encrypt the archives using AES-CFB-128, and exfiltrate them to file[.]io; RatGopher, a Go-based backdoor that uses a private Discord server to receive C&C messages, execute commands, and publish the results back to the configured Discord channel, as well as upload and download files from file[.]io; SSLORDoor, a C++-based backdoor that uses OpenSSL BIO for communication via raw sockets on port 443 to enumerate drives, perform file operations, and run commands based on C&C input via "cmd.exe"; FriendDelivery, a malicious DLL that serves as a loader and injector for BoxOfFriends; and BoxOfFriends itself, a Go-based backdoor that uses the Microsoft Graph API to craft draft emails for C2 using hard-coded credentials.
GopherWhisper's modus operandi involves abusing legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C&C) communication and exfiltration. The group also utilizes a file collection tool to gather files of interest and exfiltrate them in compressed format to the file[.]io file sharing service.
The telemetry data collected by ESET indicates that about 12 systems associated with the Mongolian governmental institution were infected by the backdoors, with C&C traffic from the attacker-controlled Discord and Slack servers indicating dozens of other victims. Notably, timestamp inspection of the Slack and Discord messages showed that the bulk of them were being sent during working hours, i.e., between 8 a.m. and 5 p.m., which aligns with China Standard Time.
Furthermore, the locale for the configured user in Slack metadata was also set to this time zone. This observation suggests that GopherWhisper is a China-aligned group, as stated by ESET researcher Eric Howard. "The bulk of the C&C traffic being sent during working hours, aligned with China Standard Time, and the locale for the configured user in Slack metadata also set to this time zone, all point towards a significant probability that GopherWhisper is indeed a China-aligned advanced persistent threat group," he noted.
It is worth noting that exactly how GopherWhisper obtains initial access to its target networks remains unknown. However, it is clear that once a foothold is gained, the group attempts to deploy a wide range of tools and implants - including JabGopher, LaxGopher, CompactGopher, RatGopher, SSLORDoor, FriendDelivery, and BoxOfFriends - in order to execute various commands and exfiltrate sensitive information.
The discovery of GopherWhisper highlights the evolving nature of cyber threats and underscores the importance of robust threat intelligence capabilities. As the global landscape continues to evolve, it is essential for cybersecurity professionals to stay vigilant and adapt their strategies to counter emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/GopherWhisper-A-China-Linked-Advanced-Persistent-Threat-Group-Infects-12-Mongolian-Government-Systems-with-Go-Backdoors-ehn.shtml
https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html
https://markets.businessinsider.com/news/stocks/eset-research-discovers-new-china-aligned-group-gopherwhisper-it-abuses-messaging-services-discord-slack-and-outlook-to-spy-1036053403?op=1
https://www.eset.com/us/about/newsroom/research/eset-research-discovers-new-china-aligned-group-gopherwhisper-it-abuses-messaging-services-discord-slack-and-outlook-to-spy/
https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/
Published: Thu Apr 23 05:25:13 2026 by llama3.2 3B Q4_K_M
