A New Chinese Threat Actor Emerges
Security researchers at ESET have sounded the alarm over a previously undocumented advanced persistent threat (APT) group that leverages legitimate online services — including Slack, Discord, and Microsoft's cloud infrastructure — for command-and-control (C&C) communication and data exfiltration. Tracked as GopherWhisper, the group has been active since at least November 2023 and has been attributed to China based on timestamp analysis of chat messages and emails uncovered during the investigation.
The group first came to light in January 2025, when researchers investigating a Go-based backdoor discovered on the systems of a governmental organization in Mongolia traced the intrusion back to a broader, previously unknown toolset. That investigation ultimately led to the identification of multiple backdoors, custom loaders, and injectors all associated with GopherWhisper.
LaxGopher: The Core Backdoor
The primary backdoor deployed by GopherWhisper is a Go-based implant dubbed LaxGopher. What sets it apart from many traditional backdoors is its reliance on Slack for C&C communication — a technique designed to blend malicious traffic with legitimate enterprise network activity, making detection considerably harder.
LaxGopher is capable of:
- Executing commands via the command prompt
- Exfiltrating victim data
- Fetching and executing additional payloads on infected machines
According to ESET, GopherWhisper primarily used LaxGopher to enumerate drives and files on compromised systems. To deploy the backdoor stealthily, the group relies on an injector called JabGopher, which executes LaxGopher directly in the memory of a newly spawned instance of svchost.exe — a common Windows system process — helping it evade detection.
CompactGopher: Exfiltrating Data via file.io
One of the tools that LaxGopher can deploy is CompactGopher, a file collector written in Go. CompactGopher is designed to compress files from the command line and then transmit them to the file.io file-sharing service using its public REST API. By routing stolen data through a legitimate file-sharing platform, the group makes exfiltration traffic appear benign to network monitoring tools.
RatGopher: Discord as a Command Channel
GopherWhisper's arsenal also includes RatGopher, another Go-based backdoor that, unlike LaxGopher, uses Discord for its C&C communications. RatGopher can open new command prompt instances and upload or download files via file.io. The use of two separate mainstream communication platforms — Slack and Discord — for different backdoors suggests a deliberate strategy to diversify infrastructure and reduce the risk of complete disruption if one channel is blocked.
SSLORDoor: A C++ Backdoor Using OpenSSL
The group also deploys SSLORDoor, a C++ backdoor that takes a more traditional approach to communication by using OpenSSL BIO for raw TCP socket connections. Its capabilities include:
- Spawning a hidden command prompt process
- Enumerating drives on the victim system
- Executing file manipulation commands
- Creating new socket connections
SSLORDoor's design suggests GopherWhisper maintains flexibility in its toolset, combining cloud-based evasion techniques with more conventional network communication methods depending on the environment.
BoxOfFriends and FriendDelivery: Abusing Microsoft Graph
ESET's investigation uncovered two additional tools deployed against the same Mongolian government organization. The first, BoxOfFriends, is a Go-based backdoor that communicates via draft Outlook messages using the Microsoft Graph API — a technique that allows the malware to send and receive instructions without ever actually sending an email, instead reading and writing drafts in a compromised or attacker-controlled mailbox.
BoxOfFriends is capable of exfiltrating files, manipulating ports, and executing commands through a shell opened on the host machine. It is loaded by a DLL injector called FriendDelivery, which handles the process of getting the backdoor into memory.
Scope of the Campaign
Within the targeted Mongolian governmental institution alone, GopherWhisper is believed to have infected approximately 12 systems. ESET notes, however, that dozens of additional victims were likely targeted as part of the broader campaign, suggesting the group's reach extends well beyond the single organization initially investigated.
Attribution and Classification
Despite an extensive analysis, ESET found no meaningful overlap between GopherWhisper's code, tactics, techniques, and procedures (TTPs), or targeting patterns and those of any previously known APT group. As a result, the researchers opted to classify it as an entirely new threat actor.
"Due to the lack of similarities in code, TTPs, and targeting to any existing APT group, we have created GopherWhisper as a new group and attribute the described toolset to it," ESET noted in its report.
The group's consistent use of legitimate services for C&C and exfiltration — Slack, Discord, Microsoft Graph, and file.io — reflects a growing trend among sophisticated threat actors seeking to obscure malicious activity within normal enterprise traffic. Organizations relying solely on traditional network-based detection are likely to miss indicators of compromise tied to this type of infrastructure abuse.
Key Takeaways for Defenders
Security teams should be aware of the following indicators and defensive considerations in light of GopherWhisper's methods:
- Monitor for unusual or unauthorized use of the Microsoft Graph API, particularly interactions with Outlook draft folders.
- Inspect Slack and Discord traffic for anomalous patterns, especially from non-standard processes.
- Watch for unexpected outbound connections to file.io, particularly involving compressed archives.
- Scrutinize memory-resident processes injected into svchost.exe for signs of malicious code.
- Apply behavioral detection rules targeting Go-based binaries exhibiting command-and-control behavior over legitimate cloud APIs.
GopherWhisper's emergence underscores the continued ingenuity of China-linked threat actors in developing novel toolsets and adapting their operational infrastructure to evade detection, making attribution and defense increasingly challenging for government and enterprise targets alike.
Source: SecurityWeek