Skip to main content
Mallory
Back to threat actors
🇨🇳 CN8 malware families

GopherWhisper

Also known asGopherWhisper

GopherWhisper is a previously undocumented China-aligned APT group identified by ESET. It has been active since at least November 2023 and was discovered in January 2025 after ESET found the LaxGopher backdoor on systems belonging to a Mongolian governmental institution. ESET telemetry indicated compromise of about 12 systems at that institution, and analysis of Slack and Discord command-and-control traffic suggested dozens of additional victims, although their sectors and locations were not identified. The group targets governmental institutions in Mongolia and is described as state-backed or consistent with cyber espionage activity. GopherWhisper uses a custom malware arsenal composed largely of Go-based tools, plus one C++ backdoor. Identified components include the backdoors LaxGopher, RatGopher, BoxOfFriends, and SSLORDoor; the injector JabGopher; the loader/injector FriendDelivery; and the exfiltration utility CompactGopher. JabGopher side-loads and injects LaxGopher into svchost.exe using process hollowing. LaxGopher uses Slack for command and control and supports command execution via cmd.exe, file upload, download of additional malware, and configuration changes. RatGopher is a Go-based backdoor that uses Discord for command and control and supports command execution and file transfer, including use of file.io. BoxOfFriends is a Go-based backdoor that uses Microsoft Graph API and Outlook draft email messages for bidirectional command and control. SSLORDoor is a C++ backdoor that communicates over raw TCP port 443 using OpenSSL BIO and supports host enumeration, hidden cmd.exe execution, file operations, drive enumeration, and proxy socket creation. CompactGopher compresses, encrypts, and exfiltrates files to file.io. FriendDelivery loads and injects BoxOfFriends and establishes persistence via a Windows service. A defining characteristic of GopherWhisper is its abuse of legitimate services for command and control and exfiltration, specifically Slack, Discord, Microsoft 365 Outlook via Microsoft Graph, and file.io. ESET recovered thousands of messages from attacker-controlled Slack and Discord infrastructure and also analyzed Outlook draft-message communications, exposing testing activity, development artifacts, and post-compromise operations. ESET assessed the group as China-aligned based on Slack metadata containing zh-CN locale information and operator activity patterns aligning with UTC+8 working hours. ESET stated it found no code similarities or TTP overlap linking GopherWhisper to previously known threat actors. Known aliases and sub-groups directly mentioned in the content are limited to the actor name GopherWhisper itself.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇲🇳 Mongolia

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

48 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics64 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
3 techniques
T1583
Acquire Infrastructure
T1583.006×2
Web Services
T1587
Develop Capabilities
T1587.001×2
Malware
T1588
Obtain Capabilities
T1588.002×2
Tool
T1588.003×2
Code Signing Certificates
TA0002
Execution
3 techniques
T1059×2
Command and Scripting Interpreter
T1059.001×2
PowerShell
T1059.003×2
Windows Command Shell
T1106×2
Native API
T1129×2
Shared Modules
TA0003
Persistence
1 technique
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0004
Privilege Escalation
3 techniques
T1055×3
Process Injection
T1055.002×2
Portable Executable Injection
T1055.012
Process Hollowing
T1134
Access Token Manipulation
T1134.002×2
Create Process with Token
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0005
Stealth
6 techniques
T1036
Masquerading
T1036.004
Masquerade Task or Service
T1036.005×2
Match Legitimate Resource Name or Location
T1055×3
Process Injection
T1055.002×2
Portable Executable Injection
T1055.012
Process Hollowing
T1070
Indicator Removal
T1070.004×2
File Deletion
T1134
Access Token Manipulation
T1134.002×2
Create Process with Token
T1140×2
Deobfuscate/Decode Files or Information
T1480
Execution Guardrails
TA0006
Credential Access
1 technique
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
TA0007
Discovery
4 techniques
T1007
System Service Discovery
T1082×3
System Information Discovery
T1083×3
File and Directory Discovery
T1518
Software Discovery
TA0009
Collection
4 techniques
T1005
Data from Local System
T1074
Data Staged
T1119
Automated Collection
T1560×3
Archive Collected Data
T1560.003×2
Archive via Custom Method
TA0011
Command and Control
7 techniques
T1001
Data Obfuscation
T1001.003×2
Protocol or Service Impersonation
T1071×9
Application Layer Protocol
T1071.001×5
Web Protocols
T1090×3
Proxy
T1102×4
Web Service
T1102.002
Bidirectional Communication
T1105×4
Ingress Tool Transfer
T1132
Data Encoding
T1132.001
Standard Encoding
T1132.002
Non-Standard Encoding
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
T1573.002×2
Asymmetric Cryptography
TA0010
Exfiltration
4 techniques
T1020×2
Automated Exfiltration
T1041
Exfiltration Over C2 Channel
T1048
Exfiltration Over Alternative Protocol
T1048.002×2
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1567×6
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
LaxGopherThe group’s toolset that we initially discovered includes the custom Go-based backdoors LaxGopher and RatGopher, the injector JabGopher, the exfiltration tool CompactGopher, and a C++ backdoor SSLORDoor.12May 26, 2026
RatGopherWe also unearthed two other backdoors: RatGopher and SSLORDoor. RatGopher leverages Discord for communication with the operators.12May 26, 2026
BoxOfFriendsWe named the newly discovered backdoor BoxOfFriends, from the name of the Go package in the backdoor that contains all the malicious code. Unlike the previously discovered backdoors, this new one makes use of the Microsoft 365 Outlook mail REST API from Microsoft Graph to create and modify draft email messages for its C&C communications.11May 26, 2026
CompactGopherCompactGopher is a custom Go-based file collection and exfiltration tool deployed by operators to conveniently compress files specified in command line arguments and automatically exfiltrate them to the file.io file sharing service, which allows the uploading of files without requiring any registration.10May 26, 2026
SSLORDoorWe also unearthed two other backdoors: RatGopher and SSLORDoor. RatGopher leverages Discord for communication with the operators. SSLORDoor, unlike the rest of the tools that we had discovered at that point, was not written in Go but in C++.10May 26, 2026

3 additional families tracked in Mallory.

IOCS

Observables

10 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

10 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
security affairsNews
Apr 26, 2026
GopherWhisper: new China-linked APT targets Mongolia with Go-based malware

Cyber-espionage activity targeting Mongolian government entities using a toolkit of mainly Go-based loaders, injectors, and backdoors, while abusing legitimate cloud and communication platforms for command-and-control and data exfiltration.

Read more
scworldNews
Apr 24, 2026
GopherWhisper: China-linked hackers target governments with custom Go toolkit | brief | SC Media

Espionage-focused activity targeting government entities using a custom Go-based toolkit and legitimate cloud and messaging services for command-and-control and data exfiltration.

Read more
dark readingNews
Apr 23, 2026
Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia

Chinese espionage-focused threat actor targeting Mongolian government entities, using multiple custom backdoors and diverse cloud-based command-and-control channels.

Read more
the hacker newsNews
Apr 23, 2026
China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors

Espionage-focused intrusion activity targeting Mongolian governmental institutions using a Go-heavy malware arsenal, abusing Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control and exfiltration.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping48

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables10

Domains, IPs, and hashes tied to this actor, refreshed continuously.