GopherWhisper: A burrow full of malware
ESET researchers discovered a previously undocumented China-aligned APT group named GopherWhisper that targeted a governmental entity in Mongolia. The group employs a diverse arsenal of custom tools, predominantly written in Go, including backdoors LaxGopher, RatGopher, and BoxOfFriends, along with injectors JabGopher, exfiltration tool CompactGopher, loader FriendDelivery, and C++ backdoor SSLORDoor. The threat actors abuse legitimate services including Discord, Slack, Microsoft 365 Outlook, and file.io for command and control communications and data exfiltration. Through extraction of thousands of messages from compromised Slack and Discord channels, researchers gained valuable insights into the group's internal operations and post-compromise activities. Timestamp analysis of communications indicates operators work during UTC+8 business hours, aligning with China Standard Time, supporting attribution to China-aligned actors.
AI Analysis
Technical Summary
ESET researchers uncovered GopherWhisper, a previously undocumented China-aligned APT group targeting a Mongolian governmental entity. The group employs a diverse malware arsenal predominantly written in Go, including backdoors (LaxGopher, RatGopher, BoxOfFriends), injectors (JabGopher), an exfiltration tool (CompactGopher), a loader (FriendDelivery), and a C++ backdoor (SSLORDoor). They abuse legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command and control and data exfiltration. Thousands of messages extracted from compromised Slack and Discord channels revealed internal operations and post-compromise activities. The operators' activity timing corresponds to UTC+8 business hours, supporting attribution to China-aligned actors. There are no known exploits in the wild or patches since this is a malware campaign rather than a software vulnerability.
Potential Impact
The impact involves targeted espionage against a governmental entity in Mongolia through the deployment of multiple custom malware tools facilitating persistent access, data exfiltration, and command and control via legitimate cloud services. The use of diverse tools and abuse of trusted services complicates detection and mitigation. No direct information on data loss extent or operational disruption is provided. There are no known exploits or vulnerabilities to patch.
Mitigation Recommendations
As this is a malware campaign rather than a software vulnerability, no patches or official fixes exist. Organizations should monitor for indicators of compromise related to GopherWhisper malware families and the abuse of legitimate services like Discord, Slack, Microsoft 365 Outlook, and file.io. Incident response should focus on detection and removal of these custom tools and securing communication channels. Vendor advisories do not indicate any 'no action required' status or official fixes. Patch status is not applicable.
Indicators of Compromise
- hash: 2024ea60da870a221db260482117258b
- hash: 2024ea60da870a221db260482117258b
- hash: 716554dc580a82cc17a1035add302c0766590964
- hash: 716554dc580a82cc17a1035add302c0766590964
- hash: 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56
- hash: 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56
- hash: 06007ef61672d1153531137c2e5f6ec6
- hash: 06007ef61672d1153531137c2e5f6ec6
- hash: 039eb329a173fce7efeca18611a8f2c0f7d24609
- hash: 039eb329a173fce7efeca18611a8f2c0f7d24609
- hash: 57c2490e4db194d3503ee85635fb1d6f26e8c534
- hash: 57c2490e4db194d3503ee85635fb1d6f26e8c534
- hash: 5a1bbb40c442b12594a913431f8c6757a3a66e8f
- hash: 5a1bbb40c442b12594a913431f8c6757a3a66e8f
- hash: 926974facfd0383c65458d6ef1f31fbb7c769e18
- hash: 926974facfd0383c65458d6ef1f31fbb7c769e18
- hash: ad7e264eb08415871617e45f21d03f7d71e4c36f
- hash: ad7e264eb08415871617e45f21d03f7d71e4c36f
- hash: c72e7540d6f12d74d8e737b02f31568385f575d7
- hash: c72e7540d6f12d74d8e737b02f31568385f575d7
- hash: fa9e65e58eb8fa41fde0a0a870b7d24b298026d9
- hash: fa9e65e58eb8fa41fde0a0a870b7d24b298026d9
- hash: 97c1266ac21a35f1d82781c30378d563769ce144d903d93d4bfea533103044a3
- hash: 97c1266ac21a35f1d82781c30378d563769ce144d903d93d4bfea533103044a3
- ip: 43.231.113.50
- hash: 136ad515aeb19cada0703dfe146567f1
- hash: 46846ddc7c614331a55623d7c9fa7974
- hash: 51ff3568763f1c290ee21d963d1e2348
- hash: 9f767cfa8c1716e7e3cc64a87e6fec02
- hash: a79e31eddff524646f98a2c14881f6ad
- hash: f4d4581704501e4088312abd9f7bb4ad
- hash: 023fdb1a859f73f1716f5ec0c8a01a964b702de3b4fd63a3bc7a966cdd39d427
- hash: 860069ddb5fb78f19698c6951bb67b5183016cfa813d109699130dafcc55789c
- hash: 8c872595fa8fa58a657584a0172aa20eb18f60fcfc955dec41144a002037b10e
- hash: 9c2d91b76e495e917d9064ef25352c8bfe913cc67f0aab0fda4beabcb07c90aa
- hash: ca5caa6bc20f9153360e5789ec511235046952a77f3f72b35fefec9b1c342f98
- hash: dd85e137e876a32e5dbedf8a8441d3a1c68f97f4c2304ed862438d6c4cc76348
GopherWhisper: A burrow full of malware
Description
ESET researchers discovered a previously undocumented China-aligned APT group named GopherWhisper that targeted a governmental entity in Mongolia. The group employs a diverse arsenal of custom tools, predominantly written in Go, including backdoors LaxGopher, RatGopher, and BoxOfFriends, along with injectors JabGopher, exfiltration tool CompactGopher, loader FriendDelivery, and C++ backdoor SSLORDoor. The threat actors abuse legitimate services including Discord, Slack, Microsoft 365 Outlook, and file.io for command and control communications and data exfiltration. Through extraction of thousands of messages from compromised Slack and Discord channels, researchers gained valuable insights into the group's internal operations and post-compromise activities. Timestamp analysis of communications indicates operators work during UTC+8 business hours, aligning with China Standard Time, supporting attribution to China-aligned actors.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ESET researchers uncovered GopherWhisper, a previously undocumented China-aligned APT group targeting a Mongolian governmental entity. The group employs a diverse malware arsenal predominantly written in Go, including backdoors (LaxGopher, RatGopher, BoxOfFriends), injectors (JabGopher), an exfiltration tool (CompactGopher), a loader (FriendDelivery), and a C++ backdoor (SSLORDoor). They abuse legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command and control and data exfiltration. Thousands of messages extracted from compromised Slack and Discord channels revealed internal operations and post-compromise activities. The operators' activity timing corresponds to UTC+8 business hours, supporting attribution to China-aligned actors. There are no known exploits in the wild or patches since this is a malware campaign rather than a software vulnerability.
Potential Impact
The impact involves targeted espionage against a governmental entity in Mongolia through the deployment of multiple custom malware tools facilitating persistent access, data exfiltration, and command and control via legitimate cloud services. The use of diverse tools and abuse of trusted services complicates detection and mitigation. No direct information on data loss extent or operational disruption is provided. There are no known exploits or vulnerabilities to patch.
Mitigation Recommendations
As this is a malware campaign rather than a software vulnerability, no patches or official fixes exist. Organizations should monitor for indicators of compromise related to GopherWhisper malware families and the abuse of legitimate services like Discord, Slack, Microsoft 365 Outlook, and file.io. Incident response should focus on detection and removal of these custom tools and securing communication channels. Vendor advisories do not indicate any 'no action required' status or official fixes. Patch status is not applicable.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/"]
- Adversary
- GopherWhisper
- Pulse Id
- 69ea2ebe8c3499b065ec22a7
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash2024ea60da870a221db260482117258b | — | |
hash2024ea60da870a221db260482117258b | MD5 of 716554dc580a82cc17a1035add302c0766590964 | |
hash716554dc580a82cc17a1035add302c0766590964 | — | |
hash716554dc580a82cc17a1035add302c0766590964 | — | |
hash53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 | SHA256 of 716554dc580a82cc17a1035add302c0766590964 | |
hash53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 | — | |
hash06007ef61672d1153531137c2e5f6ec6 | MD5 of 039eb329a173fce7efeca18611a8f2c0f7d24609 | |
hash06007ef61672d1153531137c2e5f6ec6 | — | |
hash039eb329a173fce7efeca18611a8f2c0f7d24609 | — | |
hash039eb329a173fce7efeca18611a8f2c0f7d24609 | — | |
hash57c2490e4db194d3503ee85635fb1d6f26e8c534 | — | |
hash57c2490e4db194d3503ee85635fb1d6f26e8c534 | — | |
hash5a1bbb40c442b12594a913431f8c6757a3a66e8f | — | |
hash5a1bbb40c442b12594a913431f8c6757a3a66e8f | — | |
hash926974facfd0383c65458d6ef1f31fbb7c769e18 | — | |
hash926974facfd0383c65458d6ef1f31fbb7c769e18 | — | |
hashad7e264eb08415871617e45f21d03f7d71e4c36f | — | |
hashad7e264eb08415871617e45f21d03f7d71e4c36f | — | |
hashc72e7540d6f12d74d8e737b02f31568385f575d7 | — | |
hashc72e7540d6f12d74d8e737b02f31568385f575d7 | — | |
hashfa9e65e58eb8fa41fde0a0a870b7d24b298026d9 | — | |
hashfa9e65e58eb8fa41fde0a0a870b7d24b298026d9 | — | |
hash97c1266ac21a35f1d82781c30378d563769ce144d903d93d4bfea533103044a3 | SHA256 of 039eb329a173fce7efeca18611a8f2c0f7d24609 | |
hash97c1266ac21a35f1d82781c30378d563769ce144d903d93d4bfea533103044a3 | — | |
hash136ad515aeb19cada0703dfe146567f1 | — | |
hash46846ddc7c614331a55623d7c9fa7974 | — | |
hash51ff3568763f1c290ee21d963d1e2348 | — | |
hash9f767cfa8c1716e7e3cc64a87e6fec02 | — | |
hasha79e31eddff524646f98a2c14881f6ad | — | |
hashf4d4581704501e4088312abd9f7bb4ad | — | |
hash023fdb1a859f73f1716f5ec0c8a01a964b702de3b4fd63a3bc7a966cdd39d427 | — | |
hash860069ddb5fb78f19698c6951bb67b5183016cfa813d109699130dafcc55789c | — | |
hash8c872595fa8fa58a657584a0172aa20eb18f60fcfc955dec41144a002037b10e | — | |
hash9c2d91b76e495e917d9064ef25352c8bfe913cc67f0aab0fda4beabcb07c90aa | — | |
hashca5caa6bc20f9153360e5789ec511235046952a77f3f72b35fefec9b1c342f98 | — | |
hashdd85e137e876a32e5dbedf8a8441d3a1c68f97f4c2304ed862438d6c4cc76348 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip43.231.113.50 | — |
Threat ID: 69eb327b87115cfb680bf510
Added to database: 4/24/2026, 9:06:03 AM
Last enriched: 5/26/2026, 7:53:37 PM
Last updated: 6/9/2026, 2:53:57 PM
Views: 284
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.