Full Report
A previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities. [...]
Analysis Summary
# Threat Actor: GopherWhisper
## Attribution & Identity
- **Actor Name:** GopherWhisper
- **Origin:** China (attributed with high confidence)
- **Identification Details:** Identified by ESET in April 2026. Attribution is based on working hours (8 a.m. to 5 p.m. UTC+8) and metadata found in Slack C2 servers containing the "zh-CN" locale.
- **Associated Groups:** Currently classified as a previously undocumented state-backed APT group.
## Activity Summary
GopherWhisper has been active since at least **November 2023**. The actor specialized in using a Go-based custom toolkit designed to exploit legitimate cloud services for Command and Control (C2) to evade detection. Recent operations include a significant compromise of a government entity in Mongolia, where multiple backdoors were deployed to maintain persistence and exfiltrate data.
## Tactics, Techniques & Procedures
- **Living off Trusted Services:** Abuses legitimate APIs and platforms (Slack, Discord, Microsoft Graph API/Outlook) to blend C2 traffic with normal business communications.
- **Draft-Based C2:** Uses the "BoxOfFriends" malware to communicate by creating and modifying draft emails in Outlook, avoiding the transmission of actual emails.
- **Process Injection:** Utilizes specialized injectors (JabGopher, FriendDelivery) to launch malicious payloads within legitimate processes like `svchost.exe`.
- **Data Exfiltration:** Employs custom tooling to compress stolen data via command line and upload it to public file-sharing services.
- **Binary Obfuscation:** Heavy reliance on the Go programming language (Golang), which can complicate reverse engineering.
**MITRE ATT&CK Mapping (Inferred):**
- **T1102.002:** Communication with CC Service: Public Service (Slack/Discord)
- **T1059.003:** Windows Command Shell
- **T1132.001:** Data Encoding: Standard Encoding
- **T1053:** Scheduled Task/Job (Infrastructure persistence)
- **T1560:** Archive Collected Data (CompactGopher)
- **T1071.001:** Application Layer Protocol: Web Protocols
## Targeting
- **Sectors:** Government entities.
- **Geography:** Mongolia (confirmed); potentially global ("dozens of other victims" identified via C2 analysis).
- **Victims:** A specific Mongolian government institution (12 systems compromised); dozens of unidentified victims.
## Tools & Infrastructure
### Malware Families
- **LaxGopher:** Go-based backdoor using Slack for C2.
- **RatGopher:** Go-based backdoor using Discord for C2.
- **BoxOfFriends:** Go-based backdoor using Microsoft Graph API (Outlook drafts) for C2.
- **SSLORDoor:** C++ backdoor using OpenSSL BIO over raw sockets (Port 443).
- **JabGopher:** Injector for the LaxGopher DLL (`whisper.dll`).
- **FriendDelivery:** Loader/Injector for the BoxOfFriends backdoor.
- **CompactGopher:** Data collection and compression tool.
### Infrastructure
- **C2 Services:**
- Slack (Private servers)
- Discord (Private channels)
- Microsoft 365 Outlook (Graph API)
- **Exfiltration Points:**
- `file[.]io`
- **Port usage:** Raw sockets over port 443.
## Implications
GopherWhisper represents a sophisticated shift in state-backed operations toward "low-signal" C2 infrastructure. By using Go-based tools and legitimate SaaS platforms, they effectively bypass traditional network perimeter defenses and signature-based detection. Their ability to remain undetected since 2023 suggests a high level of operational security and a focused interest in long-term espionage against governmental targets.
## Mitigations
- **SaaS Monitoring:** Implement monitoring for unauthorized or anomalous use of Slack, Discord, and Microsoft Graph API within corporate/government networks.
- **Behavioral Analytics:** Monitor for suspicious `svchost.exe` behavior and unexpected parent-child process relationships.
- **Network Filtering:** Restrict access to file-sharing sites like `file[.]io` from sensitive internal servers unless explicitly required for business.
- **Email Security:** Audit Microsoft 365 logs for unusual draft folder activity or unauthorized API permissions granted to applications.
- **Endpoint Detection:** Deploy EDR solutions capable of detecting memory injection and Go-based malware artifacts.