How does GopherWhisper conduct its attacks?

GopherWhisper employs a suite of custom tools, including backdoors and injectors, to infiltrate target systems. It utilizes legitimate collaboration platforms such as Discord, Slack, and Microsoft 365 Outlook to manage command and control communications and exfiltrate data, thereby blending malicious activities with normal network traffic to evade detection.

What measures can organizations take to defend against threats like GopherWhisper?

Organizations should implement comprehensive monitoring of collaboration platforms, enforce strict access controls, conduct regular security audits, and educate employees on recognizing phishing attempts and other social engineering tactics to mitigate the risk of similar APT attacks.

GopherWhisper: Unveiling a New China-Aligned APT Group Exploiting Collaboration Platforms

ESET's latest research exposes GopherWhisper, a sophisticated APT group leveraging popular collaboration tools for cyber espionage against Mongolian governmental institutions.

Published: April 24, 2026

Share this on:

Executive Summary

In January 2025, ESET researchers identified a previously undocumented China-aligned APT group named GopherWhisper targeting a Mongolian governmental institution. The group employs a suite of custom tools, primarily written in Go, including backdoors like LaxGopher, RatGopher, and BoxOfFriends, as well as the C++ backdoor SSLORDoor. GopherWhisper leverages legitimate services such as Discord, Slack, Microsoft 365 Outlook, and file.io for command and control (C&C) communications and data exfiltration. Analysis of C&C traffic from these platforms provided significant insights into the group's operations and post-compromise activities. (welivesecurity.com)

This incident underscores the evolving tactics of APT groups in utilizing common collaboration platforms for malicious activities, highlighting the need for enhanced monitoring and security measures within such services to detect and mitigate potential threats.

Why This Matters Now

The GopherWhisper incident highlights the increasing trend of APT groups exploiting legitimate collaboration platforms for malicious purposes, emphasizing the urgency for organizations to implement robust monitoring and security protocols to detect and prevent such sophisticated attacks.

Attack Path Analysis

GopherWhisper initiated the attack by deploying custom Go-based backdoors into the target's systems. They then escalated privileges to gain higher-level access. Utilizing legitimate services like Slack and Discord, they moved laterally within the network. Command and control were maintained through these platforms, allowing for continuous communication. Data was exfiltrated using the file.io service. The impact included unauthorized access and potential data breaches.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

Medium

Initial Compromise

Description

GopherWhisper deployed custom Go-based backdoors into the target's systems.

Confidence:

High

MITRE ATT&CK® Techniques

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Command and Control

T1105

Ingress Tool Transfer

Execution

T1059.003

Command and Scripting Interpreter: Windows Command Shell

Collection

T1005

Data from Local System

Exfiltration

T1041

Exfiltration Over C2 Channel

Defense Evasion

T1055

Process Injection

Defense Evasion

T1078

Valid Accounts

Initial Access

T1566.002

Phishing: Spearphishing Link

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.

Control ID: 6.4.3

The use of legitimate services like Slack and Discord for C&C communications indicates a lack of effective security monitoring and testing procedures to detect unauthorized use of such platforms.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident reveals deficiencies in the cybersecurity policy, particularly in monitoring and controlling the use of third-party communication platforms within the organization.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of legitimate services for malicious purposes suggests inadequate ICT risk management practices, failing to address the risks associated with third-party services.

CISA ZTMM 2.0 – User and Device Authentication

Control ID: 3.1

The use of valid accounts for unauthorized activities indicates weaknesses in user and device authentication mechanisms, allowing adversaries to exploit legitimate credentials.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident highlights the need for improved risk management measures to detect and prevent the abuse of legitimate services for malicious activities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

Direct APT targeting of Mongolian governmental entity demonstrates vulnerability to China-aligned groups using legitimate services for C&C communications and data exfiltration.

Information Technology/IT

GopherWhisper's Go-based toolset exploiting Discord, Slack, and Microsoft 365 highlights critical gaps in east-west traffic monitoring and egress security controls.

Telecommunications

APT group's abuse of encrypted communications platforms and raw socket connections on port 443 exposes infrastructure vulnerabilities to lateral movement.

Defense/Space

China-aligned threat actor's sophisticated multi-stage deployment and C&C infrastructure poses significant risks to classified systems and national security operations.

Sources

GopherWhisper: A burrow full of malwarehttps://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/
Verified

ESET Research discovers new China-aligned group, GopherWhisper: It abuses messaging services Discord, Slack, and Outlook to spyhttps://www.globenewswire.com/news-release/2026/04/23/3279634/0/en/ESET-Research-discovers-new-China-aligned-group-GopherWhisper-It-abuses-messaging-services-Discord-Slack-and-Outlook-to-spy.html

Verified

GopherWhisper APT group hides command and control traffic in Slack and Discordhttps://www.helpnetsecurity.com/2026/04/23/gopherwhisper-apt-group/

Verified

Frequently Asked Questions

GopherWhisper is a China-aligned advanced persistent threat (APT) group identified by ESET in January 2025, known for targeting Mongolian governmental institutions using custom Go-based malware and leveraging legitimate services like Discord, Slack, and Microsoft 365 Outlook for command and control communications.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to establish persistent backdoors may have been limited, reducing the scope of initial system compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been constrained, reducing the risk of gaining higher-level access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement within the network could have been restricted, reducing the spread of the attack.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control communications could have been detected and constrained, reducing their ability to manage the attack.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts could have been restricted, reducing the risk of data loss.

Impact (Mitigations)

The overall impact of unauthorized access and data breaches could have been reduced, limiting the attack's effectiveness.

Impact at a Glance

Affected Business Functions

Government Communications
Data Management
Internal IT Systems

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Sensitive governmental data, including internal communications and confidential documents.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement within the network.
• Enhance East-West Traffic Security to monitor and control internal communications.
• Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities.
• Apply Threat Detection & Anomaly Response mechanisms to identify and mitigate threats promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

GopherWhisper: Unveiling a New China-Aligned APT Group Exploiting Collaboration Platforms

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Application Layer Protocol: Web Protocols

Ingress Tool Transfer

Command and Scripting Interpreter: Windows Command Shell

Data from Local System

Exfiltration Over C2 Channel

Process Injection

Valid Accounts

Phishing: Spearphishing Link

Potential Compliance Exposure

PCI DSS 4.0 – Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – User and Device Authentication

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Government Administration

Information Technology/IT

Telecommunications

Defense/Space

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads