KEY FINDINGS

• ESET discovered GopherWhisper, a previously undocumented China-aligned APT group targeting Mongolian government institutions

• The group uses a toolkit primarily written in Go, including custom loaders, injectors, and multiple backdoors

• GopherWhisper abuses legitimate platforms like Discord, Slack, Outlook, and file.io for command-and-control and data exfiltration

• At least 12 systems within a Mongolian government entity were confirmed infected, with dozens more suspected

• Analysis of exposed C&C messages revealed operator activity during UTC+8 working hours, consistent with Chinese government operations

BACKGROUND

ESET researchers uncovered GopherWhisper in January 2025 after identifying the LaxGopher backdoor on a Mongolian government system. The discovery led to a full investigation that revealed a comprehensive and previously unknown toolkit. The group's use of exclusively custom Go-based malware with no connections to known threat actors warranted a new attribution. Analysis of the group's infrastructure and operational patterns suggests an organized, well-resourced cyber-espionage operation aligned with Chinese government interests.

MALWARE ARSENAL

GopherWhisper deploys multiple specialized tools designed for persistent access and data theft. JabGopher functions as an injector, deploying LaxGopher into svchost.exe for process injection. LaxGopher serves as a primary backdoor communicating via Slack, executing commands, and downloading additional payloads including CompactGopher, which compresses and exfiltrates files. RatGopher uses Discord channels for command execution, while SSLORDoor handles file operations over encrypted sockets. FriendDelivery acts as a loader for deploying other components, and BoxOfFriends leverages Microsoft 365 Outlook APIs to establish covert command-and-control communication through draft emails.

COMMAND-AND-CONTROL INFRASTRUCTURE

The group's operational security relied on legitimate cloud platforms rather than traditional malicious infrastructure. Slack channels primarily handled file and disk commands and contained links to GitHub repositories used for malware development. Discord servers hosted early backdoor code and revealed operational details about attacker machines, including VMware-based testing environments. Outlook accounts supported communication through draft emails, with account creation timelines directly correlating to malware development dates. Researchers extracted thousands of messages from these platforms after identifying exposed API tokens, providing unprecedented visibility into the group's inner workings.

OPERATIONAL TIMELINE AND EVIDENCE

The investigators discovered the Outlook account barrantaya.1010@outlook.com was created on July 11, 2024, just eleven days before FriendDelivery was compiled on July 22, 2024. This tight timeline between account creation and malware development suggests deliberate coordination. Activity patterns showed operators consistently working during UTC+8 business hours, with Slack logs containing development discussions and GitHub references indicating active code creation and refinement. The researchers noted that attackers initially used these platforms to test malware functionality before reusing them for active operations without clearing logs, a significant operational security failure.

SCOPE OF COMPROMISE

Within the targeted Mongolian government entity, ESET confirmed approximately twelve infected systems. However, analysis of C&C traffic across Slack and Discord channels indicates significantly more victims remain unidentified. The scope and sophistication of the toolkit suggests an operation targeting multiple government agencies and possibly extending beyond Mongolia's borders. The volume of communication logs and the breadth of operational infrastructure indicates this represents an ongoing, active campaign rather than a one-time espionage effort.

Sources

• https://securityaffairs.com/191318/apt/gopherwhisper-new-china-linked-apt-targets-mongolia-with-go-based-malware.html

• https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html

• https://www.cybersecurity-help.cz/blog/5373.html