ESET researchers have discovered a previously unknown advanced persistent threat (APT) group they track as GopherWhisper, conducting cyberespionage operations against governmental institutions in Mongolia.
The group, believed to be aligned with China, was first detected in January 2025 during an investigation of a compromised Mongolian government system, where analysts uncovered a novel backdoor, dubbed ‘LaxGopher.’
The attackers leverage Go-based malware, deploying a modular toolkit that includes injectors, loaders, and multiple backdoors. For initial access the threat actor uses JabGopher, an injector that launches a new svchost.exe process and injects the LaxGopher payload into its memory space. LaxGopher communicates with a private Slack workspace via embedded API tokens, retrieving command-and-control (C&C) instructions and executing them via cmd.exe. Command output is then exfiltrated back to the Slack channel. The malware also supports downloading and executing additional payloads.
Further analysis revealed additional components, including RatGopher, which comes with functionality similar to LaxGopher but uses Discord for C&C communication, and CompactGopher, a file collection utility that compresses sensitive data and uploads it to file.io. Researchers have also discovered a tool called SSLORDoor, which is written in C++ and uses OpenSSL’s BIO interface to establish raw socket connections over port 443. SSLORDoor can enumerate drives, and run commands based on C&C input, mainly related to opening, reading, writing, deleting, and uploading files.
Digging further, ESET found two more tools, FriendDelivery and BoxOfFriends, deployed against the same target. FriendDelivery is a DLL file that acts as a loader for the BoxOfFriends backdoor that leverages the Microsoft 365 Outlook REST API via Microsoft Graph. It exchanges commands by creating and modifying draft email messages for C&C communications.