DUBBED GopherWhisper, the China‑linked APT is described by ESET as relying on legitimate services for command‑and‑control communication and data exfiltration, active since at least November 2023. The group came to light in January 2025 after an investigation into a Go‑based backdoor on a Mongolian government system, with ESET noting several other backdoors, loaders and injectors associated with the same activity.
LaxGopher and RatGopher are among the tools used, with Slack for C2 in the former and Discord for the latter, while the BoxOfFriends Go backdoor communicates via the Microsoft Graph API using draft Outlook messages, and the FriendDelivery DLL injector loads it into memory. One injector, JabGopher, enables the backdoor to run inside svchost[.]exe, and CompactGopher can compress and send files to file[.]io.
Overall, the researchers say the group infected roughly 12 systems in the Mongolian government organisation, with dozens of other potential victims likely targeted as well, according to ESET.