GOPHERWHISPER is a newly identified China-aligned APT group uncovered by ESET researchers, targeting Mongolian government institutions with a Go-based malware toolkit. The operations include loaders and backdoors written mainly in Go, used to deploy multiple backdoors such as JabGopher, LaxGopher, CompactGopher, RatGopher, and SSLORDoor to maintain access and control.
For command-and-control and data exfiltration, the group reportedly uses legitimate services including Discord, Slack, Outlook and file[.]io, with C&C messages uncovered by researchers in Slack and Discord channels and in draft Outlook emails. ESET notes that LaxGopher injects into svchost[.]exe, while BoxOfFriends, a loader, communicates via Microsoft 365 Outlook APIs, and FriendDelivery is another loader in the toolkit.
The researchers found about 12 infected systems within a Mongolian government entity, with dozens of additional victims suggested by Slack and Discord traffic; the activity timeline points to July 2024 for some components, and January 2025 marks the first discovery of LaxGopher on a Mongolian system, according to the report.