Full Report
ESET Research has discovered a new China-aligned APT group that we’ve named GopherWhisper, which targets Mongolian governmental institutions
Analysis Summary
# Threat Actor: GopherWhisper
## Attribution & Identity
* **Identification:** GopherWhisper is a newly discovered China-aligned Advanced Persistent Threat (APT) group.
* **Naming Convention:** The name "GopherWhisper" is derived from the group’s heavy reliance on the Go programming language (mascot: Gopher) and the filename `whisper.dll` used in side-loading attacks.
* **Known Associations:** ESET researchers note there are currently no code similarities or TTP overlaps linking this actor to other known groups, marking it as a distinct set of activity.
* **Alignment:** Attributed as China-aligned based on operational patterns and the operator's time zone (UTC+8).
## Activity Summary
First discovered in January 2025, GopherWhisper has been active since at least mid-2024. The group conducts cyberespionage operations characterized by the deployment of custom Go-based backdoors that leverage legitimate web services for command-and-control (C2). A significant portion of their identified activity involved long-term persistence within Mongolian government networks.
## Tactics, Techniques & Procedures
* **API Abuse (C2):** Extensive use of legitimate SaaS platforms (Slack, Discord, Microsoft 365 Outlook) to hide C2 traffic within normal encrypted web traffic.
* **Process Injection:** Use of custom injectors to spawn `svchost.exe` and inject malicious payloads into memory to evade detection.
* **DLL Side-loading:** Utilizing malicious DLLs (e.g., `whisper.dll`) to execute payloads.
* **Data Compression & Exfiltration:** Automating the collection and compression of target files for rapid exfiltration via public file-sharing services.
* **Social Identification:** Usage of draft email messages in Outlook (via Microsoft Graph API) as a "dead-drop" mechanism for C2.
* **Operational Security (OPSEC):** Operators have been observed using VMware virtual machines for testing enumeration processes before deployment.
**MITRE ATT&CK IDs:**
* T1055: Process Injection
* T1574.002: DLL Side-Loading
* T1102.002: Web Service: Bidirectional Communication
* T1560: Archive Collected Data
* T1567: Exfiltration Over Web Service
## Targeting
* **Sectors:** Governmental institutions.
* **Geography:** Mongolia.
* **Victims:** Specifically identified as a Mongolian governmental entity.
## Tools & Infrastructure
### Malware Families
* **LaxGopher:** Go-based backdoor using Slack for C2.
* **RatGopher:** Go-based backdoor using Discord for C2.
* **BoxOfFriends:** Go-based backdoor using Microsoft 365 Outlook (Microsoft Graph API) for C2.
* **JabGopher:** An injector used to deploy LaxGopher.
* **CompactGopher:** A file collection/compression and exfiltration tool.
* **FriendDelivery:** A DLL loader and injector for BoxOfFriends.
* **SSLORDoor:** A C++ backdoor using raw sockets on port 443 via OpenSSL BIO.
### Infrastructure
* **Slack/Discord:** Private servers and channels used for command relay and result exfiltration.
* **file.io:** Used for hosting exfiltrated data packages.
* **Email Account:** `barrantaya.1010@outlook[.]com` (Defanged).
## Implications
GopherWhisper represents a sophisticated shift toward "Living off Trusted Services" (LoTS). By using Slack, Discord, and Outlook, the group successfully bypasses traditional perimeter defenses that might block unknown IPs but allow traffic to reputable domains. Their focus on Mongolia suggests a strategic interest in the geopolitical affairs of Central/East Asia, consistent with Chinese state interests.
## Mitigations
* **Network Monitoring:** Inspect traffic to Discord, Slack, and Microsoft Graph APIs for unusual patterns or non-standard user agents, especially originating from server infrastructure.
* **Process Auditing:** Monitor `svchost.exe` for unexpected child processes or hollowed memory regions.
* **API Token Security:** Implement robust logging to detect the unauthorized use of organizational API tokens or the presence of personal/unauthorized API tokens on corporate assets.
* **SaaS Control:** Restrict or monitor the use of file-sharing services like `file.io` at the firewall/web gateway level for sensitive government or corporate segments.