Overview
GopherWhisper is a Chinese cyber-espionage group whose operational signature is the consistent use of legitimate cloud messaging and collaboration platforms as command-and-control infrastructure. Where most APT actors route C2 traffic through dedicated infrastructure — VPSes, compromised web servers, custom domain fronting — GopherWhisper’s implants communicate via Slack workspaces, Discord servers, Microsoft 365 Outlook API calls, and the file-sharing service file.io. The result is a group whose operational traffic is almost entirely indistinguishable from legitimate enterprise software use at the network layer.
ESET researchers discovered GopherWhisper during an investigation that began in January 2025. The group was publicly disclosed in April 2026. Their primary targets are Mongolian government entities — ministries, diplomatic institutions, and government-adjacent organisations. Attribution to a China-aligned threat actor is assessed with moderate-to-high confidence based on tooling characteristics, targeting patterns, and operational timing consistent with Chinese intelligence collection interests in the Central Asian region.
Attribution and Geopolitical Context
Mongolia occupies a strategically important position between China and Russia. Its government manages a complex set of relationships: it depends economically on Chinese trade and investment while maintaining formal political non-alignment and pursuing a “Third Neighbour” policy of engagement with Western democracies. Mongolia is also a significant source of rare earth minerals and has a role in regional logistics that matters to Chinese strategic planning.
Chinese intelligence services have maintained persistent interest in Mongolian government communications, foreign policy positioning, and economic agreements — particularly those involving Western partners. GopherWhisper’s campaign pattern fits this collection priority: sustained access to government networks, low-noise operations designed for dwell time rather than disruptive action, and tooling optimised for detection avoidance in environments where perimeter-level monitoring may flag unusual outbound traffic.
Attribution indicators include:
- Go-based malware tooling used by multiple China-nexus actors
- Targeting consistent with Chinese intelligence collection priorities for Inner Asia
- Operational timing aligned with Chinese business hours (UTC+8)
- Use of cloud C2 techniques documented in other China-nexus campaigns
- Code structure similarities with tooling from other Chinese espionage groups
GopherWhisper has not been formally linked to a specific Chinese intelligence service by any public government attribution. The group operates with a sophistication level consistent with state direction but does not exhibit the scale of operations associated with the largest PLA-affiliated APT groups.
Malware Ecosystem
GopherWhisper’s toolkit is built entirely in Go. The choice reflects a broader trend among sophisticated actors: Go produces cross-platform binaries with a relatively small footprint, good performance, and compiled executables that are harder to reverse-engineer than interpreted language payloads. The group has developed a modular implant family with distinct components for different operational phases.
LaxGopher
LaxGopher is the initial access implant — a lightweight backdoor used in the first stage of compromise. It establishes persistence on the victim system, performs basic reconnaissance (hostname, username, running processes, network configuration), and sends this initial telemetry to the C2 channel before awaiting further instructions. LaxGopher is designed for low-noise operation: it collects and transmits data in small batches, avoids aggressive persistence mechanisms that trigger EDR alerts, and uses cloud C2 channels that blend with legitimate traffic.
RatGopher
RatGopher is the primary remote access trojan deployed after initial access is established. It provides the attacker with a persistent interactive shell capability, file upload and download, screenshot capture, and keylogging. RatGopher communicates with attackers through the Microsoft 365 Outlook REST API — outbound traffic appears as standard HTTPS to Microsoft’s endpoints, making it effectively invisible at the network perimeter level without deep inspection of API call content.
The Outlook API C2 implementation is technically sophisticated. RatGopher registers itself as an email client using an OAuth token obtained during the initial compromise phase, then uses the Outlook draft message folder as a covert channel: commands from the operator are stored as draft emails, the implant reads them at polling intervals, executes them, and stores results as new draft messages. No emails are ever sent — the entire exchange remains within the drafts folder, producing no mail flow logs.
BoxOfFriends
BoxOfFriends is a data collection and staging implant. It searches target systems for documents matching interest criteria — Office documents, PDFs, emails, database exports — compresses them into encrypted archives, and uploads them to file.io, a legitimate file-sharing service with no account required for file upload. The group retrieves exfiltrated data by accessing the file.io download URL, which is communicated back through the implant’s primary C2 channel.
Using file.io for exfiltration is operationally effective: the service is widely used for legitimate file sharing, SSL inspection typically trusts it, and the upload operation is indistinguishable from legitimate file-sharing activity without content inspection. File.io also deletes files after a configured number of downloads, providing automatic cleanup that reduces forensic evidence of what was exfiltrated.
JabGopher
JabGopher handles C2 via Slack and Discord. Rather than building custom infrastructure, the group created dedicated Slack workspaces and Discord servers used exclusively for operator-to-implant communication. JabGopher polls a designated channel at configurable intervals, reads messages posted by the operator (formatted as structured JSON), and posts command output to a separate channel.
The legitimate API endpoints used by JabGopher (api.slack.com, discord.com/api) are trusted by enterprise firewalls at scale, are covered by platform TLS, and produce traffic patterns indistinguishable from a developer’s Slack client. Detection requires inspection at the content or behavioural layer — unexpected processes connecting to Slack or Discord APIs, or processes making API calls to these services on hosts where collaboration software is not installed.
FriendDelivery
FriendDelivery is a dropper used to deliver and install other GopherWhisper components. It is typically the first executable dropped following initial access, responsible for downloading and executing the appropriate implant components from attacker-controlled infrastructure or cloud storage. FriendDelivery uses basic anti-analysis techniques including sleep calls designed to delay execution past sandbox timeouts and checks for virtualisation environment artefacts before running.
CompactGopher and SSLORDoor
CompactGopher is a compressed and obfuscated variant of the core implant used in environments where file size restrictions or signature-based detection make the standard implants less effective. SSLORDoor is a network tunnelling tool that creates encrypted tunnels between the compromised host and attacker infrastructure, used when the group needs to route additional tooling or data through an established foothold.
Tactics, Techniques, and Procedures
Initial Access: GopherWhisper’s documented initial access methods include spearphishing emails targeting Mongolian government employees with Mongolian-language lures. Documents are typically themed around government policy, diplomatic communications, or regional economic agreements — content plausible enough to be opened by the target recipient. Malicious macros or embedded OLE objects drop FriendDelivery, which executes the implant chain.
Persistence: The group uses scheduled tasks and Windows Registry run keys for persistence. LaxGopher and RatGopher both include multiple persistence mechanisms, attempting to establish both user-context and system-context persistence where privileges allow. The group avoids writing to unusual filesystem locations that trigger behavioural monitoring, preferring to masquerade in directories associated with legitimate software.
Defence Evasion: Cloud C2 is the primary defence evasion mechanism. By routing all communications through Microsoft 365, Slack, Discord, and file.io, the group eliminates the need for dedicated C2 infrastructure that could be identified and blocked. Process injection is used in some variants to execute implant code within the context of legitimate processes. Code signing with legitimate certificates has been observed in some samples.
Collection: BoxOfFriends automates collection of documents matching interest criteria. RatGopher supports manual collection via its interactive shell capability. The group’s collection priorities, based on observed targeting and exfiltration content, include diplomatic communications, trade and economic agreement documentation, and foreign policy positioning documents.
Exfiltration: file.io is the primary exfiltration channel. The group also uses the Microsoft OneDrive API for exfiltration in some campaigns, uploading to accounts controlled by the operator.
Cloud C2: Technical Detail
The use of cloud services for C2 predates GopherWhisper — the technique has been used by APT29 (NOBELIUM) using Dropbox and Google Drive, and by the GopherWhisper campaign’s broader China-nexus peer group using OneDrive and GitHub. What distinguishes GopherWhisper is the breadth of platforms used in a single campaign and the sophistication of the Outlook drafts channel specifically.
The Outlook drafts C2 channel works as follows:
- During initial compromise, the implant captures or is provided an OAuth token with mail read/write permissions for a Microsoft 365 account — either a compromised target account used as a relay, or an operator-controlled account registered for this purpose.
- The operator creates draft messages in a shared mailbox folder with command instructions encoded as JSON in the message body.
- RatGopher polls the drafts folder at a configurable interval (observed intervals range from 3 to 15 minutes), reads new drafts, decodes the instruction, executes it, and writes output as a new draft in a response folder.
- The operator reads results from the response folder and deletes processed messages.
This approach produces no SMTP traffic, no sent items, and no received items — only draft folder API calls to legitimate Microsoft infrastructure. Without an OAuth token for the relay account, defenders cannot inspect the channel content.
Detection Opportunities
Despite the sophistication of the cloud C2 approach, GopherWhisper’s operations leave detectable artefacts:
Process-to-cloud-service API anomalies. RatGopher and JabGopher make API calls to Microsoft 365, Slack, Discord, and file.io from processes that should not be making these connections. A scripted process, a document reader, or an unusually-named executable making HTTPS connections to api.slack.com should be flagged. EDR telemetry showing unexpected processes connecting to these API endpoints is the most reliable detection signal.
OAuth token creation and use. The Outlook drafts channel requires OAuth token acquisition. Monitor for OAuth token requests from unexpected applications, particularly those requesting mail read/write permissions. Conditional Access policies in Entra ID can restrict which applications can acquire mail permissions and alert on anomalous OAuth token requests.
Go binary indicators. GopherWhisper implants are compiled Go binaries. Go executables have a distinctive binary structure — they include the Go runtime, have characteristic memory allocation patterns, and embed the Go version string. Binaries with these characteristics that are not part of known-good software are worth investigating.
Scheduled task creation by non-standard processes. Both LaxGopher and RatGopher establish persistence via scheduled tasks. Sysmon Event ID 1 (process creation) and Event ID 11 (file creation) for schtasks.exe spawned from unusual parents should be monitored. The specific scheduled task names observed in GopherWhisper samples are documented in ESET’s disclosure.
BoxOfFriends file collection behaviour. Mass file access events targeting document extensions across multiple directories in a short window, followed by outbound HTTPS to file.io, is a detectable pattern when viewed as a behavioural sequence rather than individual events.
Current Status and Threat Assessment
GopherWhisper was assessed as an active threat as of ESET’s April 2026 disclosure. The public disclosure of their tooling and techniques will likely prompt infrastructure rotation and tooling updates — a pattern observed consistently after APT group disclosures. The group’s core operational approach (cloud messaging C2, Go tooling, Mongolian government targeting) is unlikely to change substantially, but specific indicators of compromise will become stale.
For organisations in Mongolia and those with diplomatic or economic relationships to monitor in Central Asia, GopherWhisper represents a persistent collection threat. For security teams in other regions, the group’s cloud C2 techniques represent a template that is increasingly common across the APT landscape — the defensive priority is detection based on behaviour (process-to-cloud-API anomalies, OAuth token misuse) rather than traditional IOC-based blocking.