A New APT Exposed by Its Own Hardcoded Credentials
A China-aligned threat group called GopherWhisper has been targeting Mongolian government systems, with the group discovered in January 2025 when ESET researchers found the LaxGopher backdoor, using a full suite of Go-based malware that communicates through Discord, Slack, and Microsoft 365 Outlook [1]. ESET Research discovered the group and, in an unusual twist, was able to extract thousands of the attackers' own command-and-control messages because the operators hardcoded credentials directly into their backdoors [4]. The result is one of the more transparent views into an active APT operation that researchers have published in recent memory.
ESET telemetry indicates approximately 12 systems at a Mongolian governmental institution were compromised [5]. ESET retrieved thousands of Slack and Discord messages, with analysis suggesting the group has been active since at least November 2023 [1][4]. Timestamp analysis across both platforms showed activity concentrated during UTC+8 business hours (roughly 8am to 5pm), consistent with China Standard Time [1][3]. Slack metadata from the attacker accounts revealed locale configuration aligned with China Standard Time [2].
Who Is GopherWhisper?
ESET assigned GopherWhisper as a brand-new group designation. Researchers found no code similarities, TTP overlaps, or targeting patterns that matched any previously documented APT cluster [2]. This is significant: the China-nexus threat ecosystem is well-cataloged, and a novel entrant suggests either a new operational unit or a team that has successfully avoided detection for years.
The group's name reflects its two defining characteristics. Nearly all of its custom malware is written in Go (the "Gopher" programming language), and it communicates through legitimate messaging platforms, whispering commands through channels that blend into normal enterprise traffic [1].
ESET attributes GopherWhisper to China based on the UTC+8 activity window, locale settings, and targeting of Mongolia (a country of persistent strategic interest to Beijing), though researchers stopped short of attributing the group to a specific Chinese intelligence entity [1][2][3].
The Toolset: A Full Arsenal in Go (and One C++ Outlier)
GopherWhisper deploys a modular malware toolkit. Each component handles a distinct function, and each uses a different legitimate service for communication [1].
LaxGopher is the primary backdoor for Slack-based C2. It receives commands through Slack messages and executes them via cmd.exe on the compromised host. The injector component, JabGopher, uses reflective DLL injection to load LaxGopher.dll into the memory space of svchost.exe, avoiding disk-based detection [1][7].
RatGopher serves the same backdoor function but communicates over Discord instead of Slack [1].
BoxOfFriends is the most sophisticated of the three backdoor variants. It uses Microsoft's Graph API to communicate through Outlook, with attacker-controlled Outlook accounts serving as mailboxes for command delivery. The earliest Outlook account linked to BoxOfFriends, barrantaya.1010@outlook.com, was created on July 11, 2024 [5]. A loader DLL called FriendDelivery handles deployment of BoxOfFriends [1].
CompactGopher handles data theft. It searches compromised systems for files matching specific extensions (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, .pptx), compresses them into ZIP archives, encrypts them with AES-CFB-128, and exfiltrates them to the file.io file-sharing service [5][6]. The file.io service requires no registration and automatically deletes files after 14 days or after the first download, providing built-in evidence destruction [6].
SSLORDoor is the toolkit's lone C++ component. It operates as a backdoor communicating over OpenSSL on port 443, and it attempts to delete a file named kdshvfjdjs.dll as part of its cleanup routine [1].
DLL side-loading is a recurring technique. The component whisper.dll appears as a side-loaded library across multiple infection chains [1].
How the Kill Chain Works
GopherWhisper's infection chain follows a consistent pattern across observed intrusions:
- Initial access is established through means ESET did not fully detail in the public report, though the malware's design assumes it lands on systems where Slack, Discord, or Outlook clients are present [1].
- Persistence and injection rely on DLL side-loading (T1574.001) and reflective code loading (T1620). JabGopher injects LaxGopher.dll into
svchost.exeusing reflective DLL injection, keeping the payload entirely in memory [7][1].
- C2 communication flows through whichever legitimate service the deployed backdoor is configured to use. LaxGopher polls Slack channels. RatGopher monitors Discord. BoxOfFriends queries Outlook mailboxes via Graph API [1].
- Command execution happens through Windows Command Shell (
cmd.exe), with output routed back through the same legitimate service channel [1].
- Collection and exfiltration are handled by CompactGopher, which targets documents and images, archives them, encrypts the archives, and uploads them to file.io [5][6].
The OpSec Failure That Opened the Door
GopherWhisper's most significant operational mistake was embedding credentials directly in their compiled malware. ESET researchers used those hardcoded tokens to access the attackers' Slack and Discord accounts, pulling down the full message history of C2 communications [4]. The operators also reused development platforms for live operations without clearing logs, giving researchers visibility into the group's development timeline and testing patterns [3].
This kind of access is rare. It allowed ESET to reconstruct not just what commands were sent, but when, how frequently, and in what patterns. The thousands of combined messages across both platforms represent an unusually rich dataset for threat intelligence analysis [1][4].
IOC Table
| Type | Value | Context |
|---|---|---|
| Malware | LaxGopher |
Go-based Slack C2 backdoor [1] |
| Malware | RatGopher |
Go-based Discord C2 backdoor [1] |
| Malware | BoxOfFriends |
Go-based Outlook/Graph API C2 backdoor [1] |
| Malware | CompactGopher |
Go-based exfiltration tool targeting documents [1] |
| Malware | JabGopher |
Injector for LaxGopher [1] |
| Malware | SSLORDoor |
C++ backdoor using OpenSSL on port 443 [1] |
| Malware | FriendDelivery |
Loader DLL for BoxOfFriends [1] |
| Filename | whisper.dll |
Side-loaded component [1] |
| Filename | kdshvfjdjs.dll |
File SSLORDoor attempts to delete [1] |
| Filename | LaxGopher.dll |
Payload loaded via reflective DLL injection into svchost.exe [7] |
| URL | file.io |
File-sharing service used for exfiltration [1][5] |
Note: ESET's full IOC set, including file hashes, is published on their GitHub repository [6]. Defenders should pull the complete list from that primary source.
MITRE ATT&CK Mapping
| Technique ID | Name | GopherWhisper Usage |
|---|---|---|
| T1574.001 | DLL Side-Loading | whisper.dll side-loading across infection chains [1] |
| T1055.001 | Process Injection: Dynamic-link Library Injection | JabGopher injects LaxGopher.dll into svchost.exe [1][7] |
| T1620 | Reflective Code Loading | LaxGopher.dll loaded reflectively into memory [7] |
| T1059.003 | Windows Command Shell | cmd.exe spawned for command execution via Slack C2 [1] |
| T1071.003 | Application Layer Protocol: Mail Protocols | BoxOfFriends uses Outlook/Graph API for C2 [1] |
| T1083 | File and Directory Discovery | CompactGopher scans for target file extensions [5] |
| T1005 | Data from Local System | Document and image collection from local drives [5] |
| T1560 | Archive Collected Data | Files compressed into encrypted ZIP archives [5] |
| T1041 | Exfiltration Over C2 Channel | Data exfiltrated via file.io [6] |
| T1027 | Obfuscated Files or Information | AES-CFB-128 encryption of exfiltrated archives [5] |
Detection and Hunting
Network-level detection is inherently difficult because all C2 traffic rides on legitimate HTTPS connections to Slack, Discord, Microsoft Graph API, and file.io [1]. Standard domain blocklists won't help unless your organization doesn't use these services. That said, there are practical approaches:
Slack and Discord API monitoring: Look for API calls to Slack or Discord originating from processes that shouldn't be making them, particularly svchost.exe. A SIEM query filtering for svchost.exe establishing outbound connections to discord.com, slack.com, or graph.microsoft.com is a strong starting point.
DLL side-loading indicators: Hunt for whisper.dll being loaded by unexpected parent processes. Monitor for DLL loads from non-standard directories, especially temporary or user-writable paths.
file.io uploads: Any outbound traffic to file.io from corporate endpoints warrants investigation. Most legitimate business workflows don't use ephemeral file-sharing services. A simple proxy or DNS log query for file.io connections can surface this quickly.
Process injection into svchost.exe: Monitor for unusual DLL loads into svchost.exe instances, particularly reflective loading patterns where the DLL doesn't appear on disk. EDR tools with memory scanning capabilities (such as those with YARA memory rules) are effective here.
Timing analysis: GopherWhisper's operators are consistent about working hours. C2 traffic to messaging platforms that clusters between 8:00am and 10:00pm CST on weekdays, particularly from government or critical infrastructure networks, should receive extra scrutiny [4].
Sigma rules for GopherWhisper behavioral patterns are available through SOC Prime [7].
Analysis
GopherWhisper's approach reflects a broader trend among Chinese APT operators: abusing legitimate cloud services to make C2 traffic indistinguishable from normal business communications. This isn't new conceptually (APT41, Mustang Panda, and others have used similar techniques), but GopherWhisper's implementation is notably comprehensive. Having separate backdoors for Slack, Discord, and Outlook gives the operators redundancy. Blocking one channel doesn't sever access.
The targeting of Mongolia aligns with known Chinese intelligence priorities. Mongolia's geographic position between Russia and China, its mineral wealth, and its diplomatic relationships make it a persistent collection target for Beijing. The focus on a single governmental institution with approximately 12 compromised systems suggests a targeted intelligence-gathering operation rather than broad espionage.
The Go language choice is deliberate. Go binaries are large and harder to reverse-engineer than their C/C++ equivalents. They also cross-compile easily, giving the developers flexibility for future targeting of Linux or macOS systems, though all observed activity so far targets Windows [1].
Red Sheep Assessment
Confidence: Moderate
GopherWhisper's operational security is a study in contradictions. On one hand, they built a modular, multi-channel C2 framework using legitimate services, which is genuinely difficult to detect at the network level. On the other hand, they hardcoded credentials into their malware binaries, provided researchers with thousands of C2 messages, and left development artifacts in production environments. This gap between sophisticated design and careless implementation suggests a team with strong developers but weak operational discipline.
The absence of code overlap with known Chinese APT groups deserves scrutiny. Two possibilities stand out. First, GopherWhisper could be a new unit, possibly a contractor or academic group brought into the intelligence apparatus without inheriting tooling from established teams. Second, the group may have deliberately built a clean toolkit precisely to avoid the kind of cross-group attribution that has burned other Chinese operations.
The focus on Mongolia also raises a question about scope. ESET's visibility is limited to what they discovered. A group that built this level of tooling for a single Mongolian government target seems like a disproportionate investment. We assess that GopherWhisper likely has additional victims that haven't been identified yet, potentially in other Central Asian states or in sectors beyond government.
The hardcoded credential mistake is the kind of error that gets fixed once it's publicly disclosed. Future GopherWhisper operations will almost certainly implement dynamic credential retrieval, making the kind of intelligence windfall ESET achieved here a one-time event. Defenders should extract maximum value from the published IOCs and behavioral patterns now, before the group adapts.
Defender's Checklist
- ▢[ ] Hunt for file.io connections: Query DNS and proxy logs for any connections to
file.iofrom corporate endpoints. Example:index=proxy dest_domain="file.io"orindex=dns query="file.io". Legitimate use of this service in enterprise environments is rare.
- ▢[ ] Monitor svchost.exe for anomalous DLL loads: Deploy or tune EDR rules to flag DLL injection into
svchost.exe, particularly reflective loads where no corresponding file exists on disk. Look specifically forLaxGopher.dllandwhisper.dll[1][7].
- ▢[ ] Audit Slack/Discord/Graph API traffic by source process: Create detection rules for Slack, Discord, or Microsoft Graph API traffic originating from system processes (especially
svchost.exe) rather than the expected application binaries.
- ▢[ ] Pull ESET's full IOC list from their GitHub repository and ingest into your threat intelligence platform. The published research includes indicators beyond what's listed here [6].
- ▢[ ] Review DLL side-loading exposure: Scan for the presence of
whisper.dllorkdshvfjdjs.dllon endpoints. Use file-name searches across your EDR fleet: these filenames are distinctive enough to serve as high-fidelity indicators [1].
References
- GopherWhisper: A burrow full of malware - ESET Research
- China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks - SecurityWeek
- GopherWhisper: new China-linked APT targets Mongolia with Go-based malware - Security Affairs
- New GopherWhisper APT group abuses Outlook, Slack, Discord for comms - BleepingComputer
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors - The Hacker News
- ESET Research White Paper: GopherWhisper
- ESET Research GopherWhisper Detection Rules - SOC Prime