LaxGopher
LaxGopher is a custom Go-based backdoor used by the China-aligned threat group GopherWhisper. ESET first detected it in January 2025 on systems belonging to a governmental entity in Mongolia, where it was deployed on roughly a dozen systems; broader Slack and Discord C2 analysis suggested additional victims may exist. LaxGopher uses a private Slack workspace/channel for command and control, retrieving instructions and posting results back to the same channel. It can execute commands via cmd.exe/Command Prompt, upload files, download additional payloads or tools, and change its configured Slack token and channel ID. ESET reported that one payload delivered through LaxGopher was CompactGopher, a Go-based exfiltration utility that compresses, encrypts, and uploads files to file.io. LaxGopher’s hardcoded Slack configuration is decrypted with AES-CFB-128 using the key "ha,just_kidding!". In observed operations, JabGopher acted as its injector: a component side-loaded as whisper.dll by a legitimate whisper.exe, which checked for C:\ProgramData\Microsoft\EdgeUpdate\Log\backup.log, decrypted an embedded LaxGopher payload from PE resources, and injected it into a new svchost.exe process using process hollowing. Recovered Slack communications associated with LaxGopher mainly contained disk and file enumeration commands. The initial access vector for the infections is not available from the provided content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group’s toolset that we initially discovered includes the custom Go-based backdoors LaxGopher and RatGopher, the injector JabGopher, the exfiltration tool CompactGopher, and a C++ backdoor SSLORDoor.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueGopherWhisper uses Slack, Discord, and Microsoft Graph services for its C&C infrastructure.
Execution
3 techniquesLaxGopher communicates via Slack, runs commands, and downloads payloads
The PowerShell command get-mppreference | select exclusionpath | ft -autosize run with administrative privileges, to check for Windows Defender exclusion paths...
LaxGopher has the following capabilities: interactively execute commands via cmd.exe... RatGopher has the following capabilities: execute a new instance of cmd.exe... SSLORDoor has the following capabilities: spawn a hidden cmd.exe.
Privilege Escalation
2 techniquesStealth
3 techniquesJabGopher, LaxGopher, CompactGopher, RatGopher, and SSLORDoor all have encryption/decryption capabilities.
Discovery
4 techniquesLaxGopher, RatGopher, and SSLORDoor can enumerate all services running on a compromised host.
LaxGopher, RatGopher, and SSLORDoor can collect the hostname, OS version, and OS architecture of a compromised host.
LaxGopher, RatGopher, and SSLORDoor can obtain file and directory listings.
LaxGopher, RatGopher, and SSLORDoor can identify running software on victim machines.
Collection
1 techniqueLaxGopher, RatGopher, SSLORDoor, and CompactGopher can collect local data from a compromised machine.
Command and Control
7 techniquesAttackers continue to lean on everyday collaboration platforms to hide command and control traffic inside normal enterprise noise... running its operations through Slack workspaces, Discord servers, Outlook drafts, and the file.io sharing service.
LaxGopher, RatGopher, and BoxOfFriends use HTTPS for C&C communication.
GopherWhisper leverages Discord, Slack, Microsoft 365 Outlook, and file.io for C&C communications and exfiltration.
LaxGopher, RatGopher, and BoxOfFriends use Slack, Discord, and Microsoft Graph, respectively, for C&C infrastructure.
LaxGopher, RatGopher, and SSLORDoor can all download additional files/payloads.
LaxGopher and RatGopher use base64 to encode messages sent to their C&Cs.
LaxGopher and RatGopher use AES algorithms for encryption. BoxOfFriends uses XOR encryption.
Exfiltration
2 techniquesLaxGopher, RatGopher, SSLORDoor, and BoxOfFriends exfiltrate data to their C&Cs.
LaxGopher leverages Slack to exfiltrate data. RatGopher leverages Discord and file.io to exfiltrate data. CompactGopher uses the file.io web service to exfiltrate data.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-based backdoor used by GopherWhisper that is injected into svchost.exe, communicates via Slack, executes commands, and downloads additional payloads such as CompactGopher.
A Go-based backdoor used by the GopherWhisper threat actor for malicious operations and command-and-control via legitimate services.
A backdoor used by GopherWhisper that leverages Slack for command-and-control communications.
A Go-based backdoor that uses Slack for command-and-control to execute commands via cmd.exe, return results to a Slack channel, and download additional malware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.