GopherWhisper: A burrow full of malware
Essential information
- Published
- 23/04/2026 16:37
- Modified
- 27/04/2026 14:45
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- boxoffriends china-aligned apt frienddelivery go-based backdoors gopherwhisper jabgopher laxgopher ratgopher
- Tags
- 2026-04-23 boxoffriends china-aligned apt frienddelivery go-based backdoors gopherwhisper jabgopher laxgopher ratgopher
- Related entities
- 9 indicators, 9 observables, 1 intrusion sets (apt), 20 techniques (mitre), 7 malware, 2 others
Description
ESET researchers discovered a previously undocumented China-aligned APT group named GopherWhisper that targeted a governmental entity in Mongolia. The group employs a diverse arsenal of custom tools, predominantly written in Go, including backdoors LaxGopher, RatGopher, and BoxOfFriends, along with injectors JabGopher, exfiltration tool CompactGopher, loader FriendDelivery, and C++ backdoor SSLORDoor. The threat actors abuse legitimate services including Discord, Slack, Microsoft 365 Outlook, and file.io for command and control communications and data exfiltration. Through extraction of thousands of messages from compromised Slack and Discord channels, researchers gained valuable insights into the group's internal operations and post-compromise activities. Timestamp analysis of communications indicates operators work during UTC+8 business hours, aligning with China Standard Time, supporting attribution to China-aligned actors.