ESET researchers have discovered a previously undocumented China-aligned APT group that they named GopherWhisper. The group wields a wide array of tools, mostly written in Go, that use injectors and loaders to deploy and execute various backdoors in its arsenal. In the observed campaign, the threat actors targeted a governmental institution in Mongolia. GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io, for command and control (C&C) communication and exfiltration.
ESET discovered the group in January 2025, when it found a previously undocumented backdoor, which ESET researchers named LaxGopher, in the system of a government institution in Mongolia. Digging deeper, they managed to uncover several more malicious tools, mainly various additional backdoors, all deployed by the same group. The majority of these tools were written in Go, and their collective aim was cyberespionage.
According to ESET telemetry, the victim impacted by GopherWhisper backdoors is a Mongolian governmental institution. By analysing the C&C traffic from the attacker-operated Discord and Slack servers, ESET estimates that dozens of other victims besides the Mongolian institution were also affected, though it has no information about their geolocation or verticals.
Of the seven tools that were discovered, four are backdoors — LaxGopher, RatGopher, and BoxOfFriends, written in Go, and SSLORDoor, written in C++. Furthermore, ESET found an injector (JabGopher), a Go-based exfiltration tool (CompactGopher), and a malicious DLL file (FriendDelivery).
Since the set of malware ESET found bore no code similarities to any known threat actor’s tools, and there was also no overlap in the Tactics, Techniques, and Procedures (TTPs) used by any other group, ESET decided to attribute the tools to a new group. Researchers chose to name that group GopherWhisper due to the majority of the group’s tools’ being written in the Go programming language, which has a gopher as its mascot, and based on the filename of whisper.dll, which is side-loaded.
GopherWhisper is characterised by the extensive use of legitimate services such as Slack, Discord, and Outlook for C&C communication. “During our investigation, we managed to extract thousands of Slack and Discord messages, as well as several draft email messages from Microsoft Outlook. This gave us great insight into the inner workings of the group,” says ESET researcher Eric Howard, who discovered the new threat group.
“Timestamp inspection of the Slack and Discord messages showed us that the bulk of them were being sent during working hours, i.e. between 8 a.m. and 5 p.m., which aligns with China Standard Time. Furthermore, the locale for the configured user in Slack metadata was also set to this time zone. We therefore believe that GopherWhisper is a China-aligned group,” explains Howard.
Based on this ESET investigation, the group’s Slack and Discord servers were first used to test the functionality of the backdoors, and then later, without clearing the logs, also used as C&C servers for the LaxGopher and RatGopher backdoors on multiple compromised machines. In addition to the Slack and Discord communications, ESET researchers were also able to extract email messages used for communication between the BoxOfFriends backdoor and its C&C using the Microsoft Graph API.
ESET Research’s Eric Howard presented these findings at Botconf 2026 conference.
Discussion about this post