A previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities.
Active since at least 2023, the hackers have been linked to China and are estimated to have compromised dozens of victims.
In a campaign identified by cybersecurity company ESET, the threat actor targeted a government entity in Mongolia and deployed a malware set with multiple backdoors that used Slack, Discord, and the Microsoft Graph API for command-and-control (C2) communication.
GopherWhisper also used a custom exfiltration tool to compress stolen data and upload it to the File.io file-sharing service.
In January 2025, ESET detected the first GopherWhisper backdoor that was written in Go and named it LaxGopher. The malware can retrieve commands from a private Slack server, execute them using the Command Prompt, and download new payloads.
Further investigation revealed that the threat actor had deployed additional malicious tools, most of them Go-based:
- RatGopher – Go-based backdoor that uses a private Discord server for C2, executing commands and posting results back to a configured channel.
- BoxOfFriends – Go-based backdoor that leverages the Microsoft 365 Outlook (Microsoft Graph API) to create and modify draft emails for C2 communication.
- SSLORDoor – C++ backdoor using OpenSSL BIO over raw sockets (port 443), capable of executing commands and performing file operations (read, write, delete, upload) and drive enumeration.
- JabGopher – Injector that launches svchost.exe and injects the LaxGopher backdoor (disguised as whisper.dll) into its memory.
- FriendDelivery – Malicious DLL acting as a loader and injector that executes the BoxOfFriends backdoor.
- CompactGopher – Go-based file collection tool that compresses data from the command line and exfiltrates it to the file-sharing service file.io.
The GopherWhisper toolset
Source: ESET
Using credentials hardcoded in the Go-based backdoors, the researchers were able to access the attacker's accounts on Slack, Discord, and Microsoft Outlook, and recover C2 communication consisting of commands, uploaded files, and experimental activity.
“We retrieved and analyzed a total of 6,044 Slack messages going back to August 21, 2024, and 3,005 Discord messages with the earliest dating from November 16, 2023,” ESET says in a technical report today.
This access, along with metadata obtained from the C2 server, also helped researchers link the hackers to China.
“Timestamp inspection of these Slack messages showed that the commands were issued between 12 a.m. and 12 p.m. UTC, while Discord message history revealed commands being sent between 12 a.m. and 2 p.m. UTC.”
Furthermore, the researchers said that changing the timezone to UTC+8, which fits the "locale zh-CN found in the metadata of the Slack server," ESET noticed little activity outside the 8 a.m. and 5 p.m. working hour interval, increasing attribution confidence.
ESET telemetry data indicates that GopherWhister compromised 12 systems in a Mongolian government institution, but analysis of the Discord and Slack C2 traffic revealed that there are "dozens of other victims," although researchers lack visibility into their geography and activity sectors.
A set of GopherWhister indicators of compromise (IoCs) is available from ESET to help defenders identify and block attacks from the new threat cluster.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 \& 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.