GopherWhisper: A burrow full of malware
ESET researchers discovered a previously undocumented China-aligned APT group named GopherWhisper that targeted a governmental entity in Mongolia. The group employs a diverse arsenal of custom tools, predominantly written in Go, including backdoors LaxGopher, RatGopher, and BoxOfFriends, along with injectors JabGopher, exfiltration tool CompactGopher, loader FriendDelivery, and C++ backdoor SSLORDoor. The threat actors abuse legitimate services including Discord, Slack, Microsoft 365 Outlook, and file.io for command and control communications and data exfiltration. Through extraction of thousands of messages from compromised Slack and Discord channels, researchers gained valuable insights into the group's internal operations and post-compromise activities. Timestamp analysis of communications indicates operators work during UTC+8 business hours, aligning with China Standard Time, supporting attribution to China-aligned actors.
AI Analysis
Technical Summary
ESET researchers uncovered GopherWhisper, a previously undocumented China-aligned APT group targeting a Mongolian government entity. The group employs a diverse set of custom tools mainly written in Go, including backdoors (LaxGopher, RatGopher, BoxOfFriends), injectors (JabGopher), an exfiltration tool (CompactGopher), a loader (FriendDelivery), and a C++ backdoor (SSLORDoor). They leverage legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command and control and data exfiltration. Extraction of thousands of messages from compromised Slack and Discord channels provided insight into their internal operations and post-compromise activities. Timestamp analysis indicates operators work during UTC+8 business hours, aligning with China Standard Time, supporting attribution to China-aligned actors.
Potential Impact
The threat actor has successfully compromised a governmental entity in Mongolia, deploying multiple custom backdoors and tools for espionage. Their use of legitimate communication platforms for command and control and data exfiltration complicates detection and response. The compromise enables persistent access and data theft, potentially impacting governmental confidentiality and security. No known exploits in the wild or patch information is applicable as this is an APT malware campaign rather than a software vulnerability.
Mitigation Recommendations
There is no patch or official fix applicable since this is a malware campaign rather than a software vulnerability. Defenders should focus on detecting and blocking the use of the identified custom tools and monitoring for abuse of legitimate communication platforms such as Discord, Slack, Microsoft 365 Outlook, and file.io. Incident response should include investigation of potential compromises and credential hygiene. Vendor advisories do not indicate any 'no action required' status or existing mitigations; thus, proactive threat hunting and network monitoring for indicators of compromise related to GopherWhisper are recommended.
Indicators of Compromise
- hash: 2024ea60da870a221db260482117258b
- hash: 2024ea60da870a221db260482117258b
- hash: 716554dc580a82cc17a1035add302c0766590964
- hash: 716554dc580a82cc17a1035add302c0766590964
- hash: 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56
- hash: 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56
- hash: 06007ef61672d1153531137c2e5f6ec6
- hash: 06007ef61672d1153531137c2e5f6ec6
- hash: 039eb329a173fce7efeca18611a8f2c0f7d24609
- hash: 039eb329a173fce7efeca18611a8f2c0f7d24609
- hash: 57c2490e4db194d3503ee85635fb1d6f26e8c534
- hash: 57c2490e4db194d3503ee85635fb1d6f26e8c534
- hash: 5a1bbb40c442b12594a913431f8c6757a3a66e8f
- hash: 5a1bbb40c442b12594a913431f8c6757a3a66e8f
- hash: 926974facfd0383c65458d6ef1f31fbb7c769e18
- hash: 926974facfd0383c65458d6ef1f31fbb7c769e18
- hash: ad7e264eb08415871617e45f21d03f7d71e4c36f
- hash: ad7e264eb08415871617e45f21d03f7d71e4c36f
- hash: c72e7540d6f12d74d8e737b02f31568385f575d7
- hash: c72e7540d6f12d74d8e737b02f31568385f575d7
- hash: fa9e65e58eb8fa41fde0a0a870b7d24b298026d9
- hash: fa9e65e58eb8fa41fde0a0a870b7d24b298026d9
- hash: 97c1266ac21a35f1d82781c30378d563769ce144d903d93d4bfea533103044a3
- hash: 97c1266ac21a35f1d82781c30378d563769ce144d903d93d4bfea533103044a3
- ip: 43.231.113.50
- hash: 136ad515aeb19cada0703dfe146567f1
- hash: 46846ddc7c614331a55623d7c9fa7974
- hash: 51ff3568763f1c290ee21d963d1e2348
- hash: 9f767cfa8c1716e7e3cc64a87e6fec02
- hash: a79e31eddff524646f98a2c14881f6ad
- hash: f4d4581704501e4088312abd9f7bb4ad
- hash: 023fdb1a859f73f1716f5ec0c8a01a964b702de3b4fd63a3bc7a966cdd39d427
- hash: 860069ddb5fb78f19698c6951bb67b5183016cfa813d109699130dafcc55789c
- hash: 8c872595fa8fa58a657584a0172aa20eb18f60fcfc955dec41144a002037b10e
- hash: 9c2d91b76e495e917d9064ef25352c8bfe913cc67f0aab0fda4beabcb07c90aa
- hash: ca5caa6bc20f9153360e5789ec511235046952a77f3f72b35fefec9b1c342f98
- hash: dd85e137e876a32e5dbedf8a8441d3a1c68f97f4c2304ed862438d6c4cc76348
GopherWhisper: A burrow full of malware
Description
ESET researchers discovered a previously undocumented China-aligned APT group named GopherWhisper that targeted a governmental entity in Mongolia. The group employs a diverse arsenal of custom tools, predominantly written in Go, including backdoors LaxGopher, RatGopher, and BoxOfFriends, along with injectors JabGopher, exfiltration tool CompactGopher, loader FriendDelivery, and C++ backdoor SSLORDoor. The threat actors abuse legitimate services including Discord, Slack, Microsoft 365 Outlook, and file.io for command and control communications and data exfiltration. Through extraction of thousands of messages from compromised Slack and Discord channels, researchers gained valuable insights into the group's internal operations and post-compromise activities. Timestamp analysis of communications indicates operators work during UTC+8 business hours, aligning with China Standard Time, supporting attribution to China-aligned actors.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ESET researchers uncovered GopherWhisper, a previously undocumented China-aligned APT group targeting a Mongolian government entity. The group employs a diverse set of custom tools mainly written in Go, including backdoors (LaxGopher, RatGopher, BoxOfFriends), injectors (JabGopher), an exfiltration tool (CompactGopher), a loader (FriendDelivery), and a C++ backdoor (SSLORDoor). They leverage legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command and control and data exfiltration. Extraction of thousands of messages from compromised Slack and Discord channels provided insight into their internal operations and post-compromise activities. Timestamp analysis indicates operators work during UTC+8 business hours, aligning with China Standard Time, supporting attribution to China-aligned actors.
Potential Impact
The threat actor has successfully compromised a governmental entity in Mongolia, deploying multiple custom backdoors and tools for espionage. Their use of legitimate communication platforms for command and control and data exfiltration complicates detection and response. The compromise enables persistent access and data theft, potentially impacting governmental confidentiality and security. No known exploits in the wild or patch information is applicable as this is an APT malware campaign rather than a software vulnerability.
Mitigation Recommendations
There is no patch or official fix applicable since this is a malware campaign rather than a software vulnerability. Defenders should focus on detecting and blocking the use of the identified custom tools and monitoring for abuse of legitimate communication platforms such as Discord, Slack, Microsoft 365 Outlook, and file.io. Incident response should include investigation of potential compromises and credential hygiene. Vendor advisories do not indicate any 'no action required' status or existing mitigations; thus, proactive threat hunting and network monitoring for indicators of compromise related to GopherWhisper are recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/"]
- Adversary
- GopherWhisper
- Pulse Id
- 69ea2ebe8c3499b065ec22a7
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash2024ea60da870a221db260482117258b | — | |
hash2024ea60da870a221db260482117258b | MD5 of 716554dc580a82cc17a1035add302c0766590964 | |
hash716554dc580a82cc17a1035add302c0766590964 | — | |
hash716554dc580a82cc17a1035add302c0766590964 | — | |
hash53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 | SHA256 of 716554dc580a82cc17a1035add302c0766590964 | |
hash53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 | — | |
hash06007ef61672d1153531137c2e5f6ec6 | MD5 of 039eb329a173fce7efeca18611a8f2c0f7d24609 | |
hash06007ef61672d1153531137c2e5f6ec6 | — | |
hash039eb329a173fce7efeca18611a8f2c0f7d24609 | — | |
hash039eb329a173fce7efeca18611a8f2c0f7d24609 | — | |
hash57c2490e4db194d3503ee85635fb1d6f26e8c534 | — | |
hash57c2490e4db194d3503ee85635fb1d6f26e8c534 | — | |
hash5a1bbb40c442b12594a913431f8c6757a3a66e8f | — | |
hash5a1bbb40c442b12594a913431f8c6757a3a66e8f | — | |
hash926974facfd0383c65458d6ef1f31fbb7c769e18 | — | |
hash926974facfd0383c65458d6ef1f31fbb7c769e18 | — | |
hashad7e264eb08415871617e45f21d03f7d71e4c36f | — | |
hashad7e264eb08415871617e45f21d03f7d71e4c36f | — | |
hashc72e7540d6f12d74d8e737b02f31568385f575d7 | — | |
hashc72e7540d6f12d74d8e737b02f31568385f575d7 | — | |
hashfa9e65e58eb8fa41fde0a0a870b7d24b298026d9 | — | |
hashfa9e65e58eb8fa41fde0a0a870b7d24b298026d9 | — | |
hash97c1266ac21a35f1d82781c30378d563769ce144d903d93d4bfea533103044a3 | SHA256 of 039eb329a173fce7efeca18611a8f2c0f7d24609 | |
hash97c1266ac21a35f1d82781c30378d563769ce144d903d93d4bfea533103044a3 | — | |
hash136ad515aeb19cada0703dfe146567f1 | — | |
hash46846ddc7c614331a55623d7c9fa7974 | — | |
hash51ff3568763f1c290ee21d963d1e2348 | — | |
hash9f767cfa8c1716e7e3cc64a87e6fec02 | — | |
hasha79e31eddff524646f98a2c14881f6ad | — | |
hashf4d4581704501e4088312abd9f7bb4ad | — | |
hash023fdb1a859f73f1716f5ec0c8a01a964b702de3b4fd63a3bc7a966cdd39d427 | — | |
hash860069ddb5fb78f19698c6951bb67b5183016cfa813d109699130dafcc55789c | — | |
hash8c872595fa8fa58a657584a0172aa20eb18f60fcfc955dec41144a002037b10e | — | |
hash9c2d91b76e495e917d9064ef25352c8bfe913cc67f0aab0fda4beabcb07c90aa | — | |
hashca5caa6bc20f9153360e5789ec511235046952a77f3f72b35fefec9b1c342f98 | — | |
hashdd85e137e876a32e5dbedf8a8441d3a1c68f97f4c2304ed862438d6c4cc76348 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip43.231.113.50 | — |
Threat ID: 69eb327b87115cfb680bf510
Added to database: 4/24/2026, 9:06:03 AM
Last enriched: 4/24/2026, 9:21:10 AM
Last updated: 4/25/2026, 5:44:53 AM
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.