Executive Summary
Recent intelligence from ESET Research has revealed a sophisticated cyber-espionage campaign orchestrated by the China-linked Advanced Persistent Threat (APT) group GopherWhisper. This group has been actively targeting Mongolian government entities since at least January 2025, employing a suite of custom malware primarily developed in Go. What distinguishes GopherWhisper is its strategic abuse of legitimate cloud-based services—including Slack, Discord, Microsoft 365 Outlook, and file.io—for command and control (C2) and data exfiltration. By leveraging these trusted platforms, the attackers effectively blend malicious activity with normal business operations, significantly complicating detection and response efforts. The campaign demonstrates advanced operational security, including time zone alignment with China Standard Time and the use of process injection and DLL side-loading techniques. This report provides a comprehensive technical analysis of the tools, tactics, and procedures (TTPs) employed by GopherWhisper, outlines observed exploitation in the wild, details victimology, and offers actionable mitigation strategies for organizations seeking to defend against similar threats.
Threat Actor Profile
GopherWhisper is a newly identified APT group attributed to Chinese state-aligned interests, as assessed by ESET and corroborated by multiple open-source intelligence sources. The group’s operational focus is espionage, with a clear targeting of government institutions in Mongolia. GopherWhisper demonstrates a high degree of technical sophistication, operational discipline, and a preference for stealth. The group’s infrastructure and malware development practices indicate access to skilled developers and resources, with a notable emphasis on custom Go-based tooling and the exploitation of legitimate cloud services for covert communications. The operators’ activity patterns, including C2 traffic aligned with China Standard Time and the use of Chinese-configured virtual machines, further reinforce the attribution to a China-based threat actor.
Technical Analysis of Malware/TTPs
GopherWhisper employs a modular toolkit, each component designed to exploit trusted cloud services for C2 and exfiltration, while maintaining a low profile within victim environments.
The primary malware families include LaxGopher, a Go-based backdoor that communicates with private Slack servers for C2, executing arbitrary commands via cmd.exe and supporting payload delivery. RatGopher is a similar Go-based backdoor leveraging private Discord servers for C2, with bidirectional command execution and result reporting. BoxOfFriends utilizes the Microsoft 365 Outlook REST API (Microsoft Graph) to establish C2 channels via draft emails, a technique that exploits the ubiquity and trust of Microsoft cloud infrastructure. JabGopher acts as an injector, executing LaxGopher (disguised as whisper.dll) by injecting it into the legitimate svchost.exe process, thereby evading endpoint detection. CompactGopher is a Go-based utility for compressing and exfiltrating files through file.io, a public file-sharing service. FriendDelivery is a malicious DLL loader/injector for BoxOfFriends, and SSLORDoor is a C++ backdoor that uses OpenSSL BIO for raw socket communication over port 443, further obfuscating malicious traffic within encrypted channels.
Key TTPs include the abuse of legitimate services for C2 and exfiltration, DLL side-loading to evade detection, process injection (notably into svchost.exe), and the use of obfuscated custom binaries. The group’s operational security is evidenced by the alignment of C2 activity with Chinese business hours and the configuration of operator virtual machines to China Standard Time.
From a MITRE ATT&CK perspective, the campaign maps to several techniques: T1071.001 (Application Layer Protocol: Web Protocols), T1105 (Ingress Tool Transfer), T1567.002 (Exfiltration to Cloud Storage), T1055 (Process Injection), T1078 (Valid Accounts), and T1027 (Obfuscated Files or Information).
Exploitation in the Wild
The GopherWhisper campaign has resulted in the compromise of at least 12 Mongolian government systems as of early 2025, according to ESET and corroborated by TheHackerNews. Analysis of C2 traffic reveals thousands of messages exchanged over Slack and Discord, with operator activity peaking during Chinese business hours. The use of legitimate cloud services for C2 and exfiltration enables the attackers to bypass traditional perimeter defenses and network monitoring solutions, as malicious traffic is indistinguishable from routine business communications. Persistence is achieved through the deployment of custom backdoors and the use of process injection and DLL side-loading, allowing the malware to survive reboots and evade endpoint detection. The attackers have also demonstrated the ability to rapidly adapt their tooling and infrastructure in response to detection, further complicating remediation efforts.
Victimology and Targeting
The primary victims of the GopherWhisper campaign are Mongolian government institutions, with at least a dozen confirmed compromises. The targeting is consistent with Chinese state interests in the region, focusing on intelligence collection and strategic espionage. The attackers exhibit a high degree of selectivity, deploying their custom toolset only within carefully chosen environments. There is no evidence to date of opportunistic or financially motivated targeting; the campaign is characterized by its focus on governmental and potentially diplomatic entities. The use of legitimate cloud services for C2 and exfiltration suggests a deliberate effort to minimize the risk of detection and maximize operational longevity within high-value targets.
Mitigation and Countermeasures
Organizations are advised to implement a multi-layered defense strategy to mitigate the risks posed by GopherWhisper and similar APT campaigns. Continuous monitoring for the provided indicators of compromise (IOCs) is essential, with particular attention to anomalous traffic involving Slack, Discord, Microsoft 365 Outlook Graph API, and file.io. Security teams should audit and, where possible, restrict the use of third-party cloud services within sensitive environments, especially those not required for business operations. Investigate any activity associated with the malicious Outlook account barrantaya.1010@outlook[.]com and scrutinize process injection events, particularly those involving svchost.exe and suspicious DLLs such as whisper.dll and wer.dll. Endpoint detection and response (EDR) solutions should be configured to detect and alert on DLL side-loading and process injection behaviors. Network segmentation and the principle of least privilege should be enforced to limit lateral movement and data exfiltration opportunities. Regular threat intelligence updates and proactive threat hunting, leveraging the full IOC set available from ESET’s GitHub repository, are strongly recommended. Finally, organizations should ensure that incident response plans are updated to address the unique challenges posed by the abuse of legitimate cloud services for C2 and exfiltration.
References
ESET WeLiveSecurity: GopherWhisper: A burrow full of malware https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/
ESET GitHub IOCs for GopherWhisper https://github.com/eset/malware-ioc/tree/master/gopherwhisper
ESET Whitepaper PDF https://web-assets.esetstatic.com/wls/en/papers/white-papers/gopherwhisper-burrow-full-malware.pdf
TheHackerNews: GopherWhisper Infects 12 Mongolian Government Systems https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html
SecurityWeek: China-Linked APT GopherWhisper Abuses Legitimate Services https://www.securityweek.com/china-linked-apt-gopherwhisper-abuses-legitimate-services-in-government-attacks/
MITRE ATT&CK Framework https://attack.mitre.org/
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for critical assets and sensitive data. For more information about how Rescana can help your organization strengthen its cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.
