Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
ESET identified a previously unknown China-aligned APT group tracked as GopherWhisper targeting a government organization in Mongolia. The threat actor operates a custom malware ecosystem built around Go and C++ backdoors, loaders, and injectors, while heavily abusing legitimate cloud platforms for command-and-control activity. Its toolset, including LaxGopher, RatGopher, and BoxOfFriends, communicates through services such as Discord, Slack, Microsoft Outlook, and file.io. Researchers first observed the campaign in January 2025.
Investigation
ESET’s analysis uncovered the group’s broader toolkit, documented its injection methods, and identified Slack and Discord API tokens used in the operation. The researchers also extracted thousands of command-and-control messages and draft Outlook emails tied to the campaign. Their investigation mapped the supporting infrastructure and showed how the attackers relied on trusted online services to conceal communications and exfiltrate data.
Mitigation
Defenders should monitor for unauthorized Slack, Discord, and Outlook API activity, block suspicious uploads to file.io, and enforce strict controls over DLL loading behavior. Security teams should also detect anomalous svchost.exe injection activity and investigate unknown Go-based binaries running in the environment.
Response
If GopherWhisper activity is detected, isolate the affected system immediately, terminate malicious processes, remove injected DLLs, reset compromised service accounts, and revoke any exposed API tokens. A full forensic investigation should follow, along with threat hunting across the network to identify related artifacts or additional compromised hosts.
"graph TB %% Class definitions classDef malware fill:#ffcccc classDef process fill:#c2f0c2 classDef file fill:#ffd9b3 classDef technique fill:#e6e6ff classDef service fill:#ffffcc classDef network fill:#d9d9d9 %% Nodes node_initial_loader["<b>Malware</b> – <b>JabGopher Loader</b><br/><b>Action</b>: Create svchost.exe and inject LaxGopher backdoor"] class node_initial_loader malware node_svc_host["<b>Process</b> – svchost.exe"] class node_svc_host process node_laxgopher["<b>Malware</b> – <b>LaxGopher</b> backdoor (DLL)"] class node_laxgopher malware node_whisper_dll["<b>File</b> – whisper.dll (masquerading)"] class node_whisper_dll file node_process_injection["<b>Technique</b> – T1055 Process Injection<br/><b>Description</b>: Inject malicious code into a running process"] class node_process_injection technique node_reflective_loading["<b>Technique</b> – T1620 Reflective Code Loading<br/><b>Description</b>: Load code in memory without using the standard OS loader"] class node_reflective_loading technique node_masquerading["<b>Technique</b> – T1036 Masquerading<br/><b>Description</b>: Rename files to appear legitimate"] class node_masquerading technique node_frienddelivery["<b>Malware</b> – <b>FriendDelivery DLL</b>"] class node_frienddelivery malware node_boxoffriends["<b>Malware</b> – <b>BoxOfFriends</b> backdoor"] class node_boxoffriends malware node_go_backdoor["<b>Malware</b> – Go based backdoors (RatGopher, LaxGopher)"] class node_go_backdoor malware node_c2_slack["<b>Service</b> – Slack (Web Service)"] class node_c2_slack service node_c2_discord["<b>Service</b> – Discord (Web Service)"] class node_c2_discord service node_c2_outlook["<b>Service</b> – Microsoft 365 Outlook Mail REST API"] class node_c2_outlook service node_tech_c2_web["<b>Technique</b> – T1102.002 Web Service Bidirectional Communication<br/><b>Description</b>: Use legitimate web services for C2"] class node_tech_c2_web technique node_tech_mail["<b>Technique</b> – T1071.003 Mail Protocols<br/><b>Description</b>: Use mail protocols for C2"] class node_tech_mail technique node_remote_access["<b>Technique</b> – T1219 Remote Access Tools<br/><b>Description</b>: Provide remote command execution"] class node_remote_access technique node_compactgopher["<b>Malware</b> – CompactGopher"] class node_compactgopher malware node_archive["<b>Technique</b> – T1560.001 Archive Collected Data via Utility<br/><b>Description</b>: Compress data before exfiltration"] class node_archive technique node_data_limit["<b>Technique</b> – T1030 Data Transfer Size Limits<br/><b>Description</b>: Handle size limits by compressing or splitting data"] class node_data_limit technique node_exfil_fileio["<b>Service</b> – file.io cloud storage"] class node_exfil_fileio service node_exfil_tech["<b>Technique</b> – T1567.002 Exfiltration Over Web Service to Cloud Storage<br/><b>Description</b>: Use cloud storage as exfiltration channel"] class node_exfil_tech technique node_transfer_to_cloud["<b>Technique</b> – T1537 Transfer Data to Cloud Account<br/><b>Description</b>: Move data to attackeru2011controlled cloud account"] class node_transfer_to_cloud technique node_sslordoor["<b>Malware</b> – SSLORDoor"] class node_sslordoor malware node_raw_socket["<b>Technique</b> – Raw Socket Communication"] class node_raw_socket technique node_port_443["<b>Network</b> – Port 443"] class node_port_443 network %% Connections node_initial_loader –>|creates| node_svc_host node_initial_loader –>|injects| node_laxgopher node_laxgopher –>|uses| node_process_injection node_laxgopher –>|uses| node_reflective_loading node_laxgopher –>|file name| node_whisper_dll node_whisper_dll –>|masquerades as| node_masquerading node_frienddelivery –>|loads| node_boxoffriends node_boxoffriends –>|uses| node_process_injection node_boxoffriends –>|uses| node_reflective_loading node_laxgopher –>|C2 via| node_c2_slack node_go_backdoor –>|C2 via| node_c2_discord node_go_backdoor –>|C2 via| node_c2_slack node_c2_slack –>|uses technique| node_tech_c2_web node_c2_discord –>|uses technique| node_tech_c2_web node_boxoffriends –>|creates drafts via| node_c2_outlook node_c2_outlook –>|uses technique| node_tech_mail node_go_backdoor –>|provides| node_remote_access node_sslordoor –>|provides| node_remote_access node_compactgopher –>|compresses data with| node_archive node_compactgopher –>|handles size limits via| node_data_limit node_archive –>|uploaded to| node_exfil_fileio node_exfil_fileio –>|uses technique| node_exfil_tech node_exfil_fileio –>|uses technique| node_transfer_to_cloud node_sslordoor –>|uses raw sockets on| node_port_443 node_sslordoor –>|uses| node_raw_socket "
Attack Flow
Detections
Short File Name (via cmdline)
View
Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline)
View
Possible WebBrowserPassView Usage (via cmdline)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)
View
Detection of GopherWhisper C&C via Slack, Discord, and Microsoft Graph API [Windows Network Connection]
View
Suspicious Process Injection by GopherWhisper [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The attacker first spawns a freshsvchost.exeprocess (the chosen host for injection). Using a reflective DLL injector, the maliciousLaxGopher.dllpayload is loaded into the memory of that process, achieving Dynamic‑Link Library Injection (T1055.001). Once the backdoor is resident, it opens a hiddencmd.exeinstance to execute commands received from its C2 server, satisfying Windows Command Shell (T1059.003). This chain mirrors the behavior described in the GopherWhisper research and generates the two process‑creation events that the Sigma rule looks for. -
Regression Test Script:
# ------------------------------------------------------------- # Simulation of GopherWhisper‑style process injection # ------------------------------------------------------------- $svcHost = "$env:SystemRootSystem32svchost.exe" $dllPath = "C:TempLaxGopher.dll" # Assume a benign test DLL exists here $cmdPath = "$env:SystemRootSystem32cmd.exe" # 1. Start a fresh svchost.exe instance (suspended) to be the injection target $svchost = Start-Process -FilePath $svcHost -ArgumentList "-k", "netsvcs" ` -PassThru -WindowStyle Hidden # 2. Perform a simplistic reflective injection (placeholder) # In a real test you would call a proper injector; here we just log intent. Write-Host "[*] Injecting $dllPath into PID $($svchost.Id) (simulated)" # Simulated injection command: # .Invoke-ReflectiveDLLInjection.ps1 -Pid $svchost.Id -Path $dllPath # 3. Launch cmd.exe from the injected process context (simulated) Write-Host "[*] Launching cmd.exe from injected svchost (simulated)" Start-Process -FilePath $cmdPath -ArgumentList "/c echo Compromised > C:Temppwned.txt" ` -WindowStyle Hidden # 4. Sleep briefly to allow Sysmon to record events Start-Sleep -Seconds 5 -
Cleanup Commands:
# Terminate the simulated svchost.exe and cmd.exe processes Get-Process -Name svchost -ErrorAction SilentlyContinue | Stop-Process -Force Get-Process -Name cmd -ErrorAction SilentlyContinue | Stop-Process -Force # Remove the test DLL (optional) Remove-Item -Path "C:TempLaxGopher.dll" -Force -ErrorAction SilentlyContinue