China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks

What happened

ESET has documented a previously unknown China-linked APT tracked as GopherWhisper, active since at least November 2023, that uses legitimate services including Slack, Discord, Microsoft Graph API, and the file-sharing platform file.io for command-and-control communication and data exfiltration.

The group came to light in January 2025 during an investigation into a Go-based backdoor found on systems belonging to a governmental entity in Mongolia. That investigation uncovered a broader toolset of custom backdoors, loaders, and injectors attributed to the group.

The primary backdoor, LaxGopher, uses Slack for command-and-control and can execute commands, exfiltrate data, and fetch additional payloads. An injector named JabGopher executes LaxGopher in the memory of a newly spawned svchost.exe instance. A file collection tool called CompactGopher compresses files and sends them to file.io via its public REST API. A second backdoor, RatGopher, uses Discord for command-and-control and uploads or downloads files through the same file-sharing service. A C++ backdoor named SSLORDoor communicates via raw TCP sockets using OpenSSL BIO and can enumerate drives, execute file manipulation commands, and spawn hidden command prompt processes.

ESET also identified two additional tools deployed against the same Mongolian target: BoxOfFriends, a Go backdoor that uses Microsoft Graph API to communicate through draft Outlook messages, and FriendDelivery, a DLL injector that loads it. BoxOfFriends can exfiltrate files, manipulate ports, and execute shell commands. GopherWhisper infected roughly 12 systems within the Mongolian government institution, with ESET assessing that dozens of additional victims were likely targeted. Timestamp analysis of chat messages and emails places the group’s operators in China. ESET created GopherWhisper as a new group due to the absence of code, TTP, or targeting overlap with any previously documented APT.

Who is affected

Government entities are the confirmed primary targets, with a Mongolian governmental organization as the documented victim. ESET’s assessment of dozens of likely additional victims suggests the campaign extends beyond the single confirmed case. Organizations using Slack, Discord, Microsoft Graph, and file.io as part of their standard tooling face a detection challenge, as malicious traffic to these platforms is difficult to distinguish from legitimate use.

Why CISOs should care

GopherWhisper’s entire command-and-control architecture is built on platforms that most enterprise environments treat as trusted. Slack traffic, Discord traffic, and Microsoft Graph API calls to Outlook are not the kind of outbound connections that network monitoring tools flag by default. The use of draft Outlook messages as a C2 channel through BoxOfFriends, a technique also seen in GoGra, reflects a deliberate strategy of blending into normal cloud productivity traffic to avoid detection.

The breadth of the toolset is also notable. Five distinct backdoors and injectors across multiple communication channels suggest a well-resourced group with redundant access mechanisms designed to survive partial detection and remediation.

3 practical actions

1. Implement behavioral monitoring for anomalous use of collaboration and file-sharing platforms: Slack, Discord, and file.io are legitimate services that GopherWhisper uses as C2 and exfiltration channels. Monitor for unusual API call patterns, high-volume file transfers to public sharing services, and automated interactions with these platforms from non-standard processes or outside of business hours.
2. Detect svchost.exe injection patterns associated with JabGopher: The injector spawns new svchost.exe instances to load LaxGopher in memory. Endpoint detection rules that flag svchost.exe processes spawned from unusual parent processes or exhibiting network behavior inconsistent with their expected function are a reliable detection surface for this technique.
3. Monitor for Microsoft Graph API draft message abuse as a C2 indicator: The BoxOfFriends backdoor communicates through Outlook draft messages via Graph API, a technique that leaves no sent mail trail. Review Graph API activity in your tenant for accounts making repeated, automated calls to draft or read draft messages from non-standard applications.

Also in the news today:

• Surveillance Vendors Exploiting Telecom Infrastructure to Track Targets’ Locations
• American Utility Firm Itron Discloses Breach of Internal IT Network
• Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM Privileges
• Litecoin Zero-Day Vulnerability Exploited in DoS Attack, Disrupts Major Mining Pools
• CISA Warns of Multiple SimpleHelp Vulnerabilities Exploited in Attacks
• 153,000 Electricity and Gas Contracts Exposed in Breach Linked to Iberdrola Partner
• Russian-Linked Campaign Compromises Signal Accounts of Senior German Officials