"The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal," ESET said in a report shared with The Hacker News.
ESET's discovery and the victim set
Slovakian cybersecurity firm ESET first identified the activity in January 2025 after finding a previously unseen backdoor on a Mongolian government system. Telemetry from ESET shows that roughly 12 systems associated with that Mongolian governmental institution were infected with the backdoors, and command-and-control (C&C) traffic routed through attacker-controlled Discord and Slack servers indicated "dozens of other victims," the company reported.
Who is being tracked: GopherWhisper and why ESET calls it China-aligned
ESET assigned the activity to a previously undocumented advanced persistent threat group it calls GopherWhisper. The company said timestamps for the Slack and Discord messages showed the bulk of them were being sent during working hours — between 8 a.m. and 5 p.m. — which "aligns with China Standard Time." ESET researcher Eric Howard also noted that the locale for the configured user in Slack metadata was set to that same time zone; on that basis ESET concluded it believes "GopherWhisper is a China-aligned group."
Toolset: a family of Go-based implants, injectors and a C++ backdoor
- JabGopher — an injector that executes the LaxGopher backdoor (deployed as "whisper.dll").
- LaxGopher — a Go-based backdoor that uses Slack for C2, executes commands via "cmd.exe", returns results to Slack channels, and can download additional malware.
- CompactGopher — a Go-based file collection utility dropped by LaxGopher that filters files by extension (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, .pptx), compresses matches into ZIP archives, encrypts archives using AES-CFB-128, and exfiltrates them to file[.]io.
- RatGopher — a Go-based backdoor that uses a private Discord server for C2, executes commands and publishes results back to a configured Discord channel, and uploads/downloads files via file[.]io.
- SSLORDoor — a C++ backdoor that uses OpenSSL BIO over raw sockets on port 443 to enumerate drives, perform file operations, and run commands via "cmd.exe" based on C2 input.
- FriendDelivery and BoxOfFriends — FriendDelivery is a malicious DLL loader/injector for BoxOfFriends; BoxOfFriends is a Go-based backdoor that abuses the Microsoft Graph API to craft draft emails for C2 using hard-coded credentials. ESET noted the earliest Outlook account created for this purpose was "barrantaya.1010@outlook[.]com" on July 11, 2024.
Command-and-control techniques: abusing legitimate services
GopherWhisper leverages multiple legitimate collaboration and file-sharing services as C2 and exfiltration channels. ESET's report says the group abuses Discord, Slack, Microsoft 365 Outlook, and file[.]io for command-and-control communication and exfiltration. The backdoors are built largely in Go (Golang) to receive instructions from C2, execute them, and send results back; in contrast, SSLORDoor is the C++ component observed handling encrypted communication over port 443.
What this means for technologists, policymakers, and Mongolian officials
- Technologists and security teams: Expect to see multi-stage chains that use injectors/loaders (JabGopher, FriendDelivery) to place Go-based implants, plus a C++ component that speaks raw sockets over port 443. The use of legitimate collaboration platforms (Slack, Discord, Outlook drafts) and file-sharing services (file[.]io) for C2 and exfiltration complicates detection and incident response.
- Policymakers and regulators: The group’s use of third-party cloud and collaboration services for C2 — and the creation of Outlook accounts apparently dedicated to C2 — underscores a need to consider controls and visibility around service abuse and account creation for official environments.
- Mongolian officials: ESET's telemetry ties about 12 infected systems to a Mongolian governmental institution and shows C2 traffic suggesting additional victims; investigators and system owners will need to assume the presence of multiple implants (LaxGopher, RatGopher, CompactGopher, SSLORDoor) and prioritize detection of injected DLLs, unusual draft-email activity, and encrypted uploads to file[.]io.
Exactly how GopherWhisper obtains initial access to target networks "is currently not known," ESET said. The company’s findings map a distinct, Go-heavy toolchain that leverages everyday collaboration tools as covert channels; the uncovered timeline — including the July 11, 2024 Outlook account creation and the January 2025 discovery of LaxGopher — leaves clear forensic breadcrumbs even as the entry vector remains a critical unanswered question.
