In early 2025, cybersecurity researchers uncovered a previously undocumented Advanced Persistent Threat (APT) group, now referred to as GopherWhisper. This threat actor stands out for its heavy reliance on the Go programming language and its strategic abuse of legitimate cloud-based services for command-and-control (C&C) operations.
The group was first identified during an investigation involving a compromised governmental entity in Mongolia. What initially appeared as a single backdoor infection soon revealed a sophisticated ecosystem of malware tools, loaders, and communication techniques.
Initial Discovery and Attribution
The investigation began in January 2025 with the detection of a previously unknown backdoor named LaxGopher. As researchers dug deeper, they uncovered a broader toolkit, all sharing consistent design patterns but lacking direct code overlap with known threat groups.
Due to the absence of identifiable links to existing actors, the researchers classified this as a new APT group. The name GopherWhisper reflects two key elements:
- Extensive use of Go (whose mascot is the gopher)
- A malicious DLL component named whisper.dll
Malware Arsenal and Capabilities
GopherWhisper employs a diverse and modular toolset, primarily written in Go, designed for stealth, persistence, and flexibility.
Key Components
- JabGopher
An injector that executes the LaxGopher backdoor by injecting it into a newly spawnedsvchost.exeprocess. - LaxGopher
A Go-based backdoor leveraging Slack for C&C communication. It executes system commands and can download additional payloads. - CompactGopher
A file collection and exfiltration tool that compresses sensitive data and uploads it to file.io. - RatGopher
A Discord-based backdoor that executes commands and sends results back through Discord channels. - SSLORDoor
A C++ backdoor using OpenSSL over port 443 for stealthy communication. It supports file operations and system control. - FriendDelivery & BoxOfFriends
A loader-backdoor pair using Microsoft 365 Outlook APIs for covert communication via draft emails.
Abuse of Legitimate Services
One of the most striking aspects of GopherWhisper is its use of trusted platforms for malicious communication:
- Slack (for LaxGopher)
- Discord (for RatGopher)
- Microsoft 365 Outlook (for BoxOfFriends)
- file.io (for data exfiltration)
This approach allows attackers to blend into normal network traffic, making detection significantly harder.
Insights from Extracted C&C Communications
Researchers successfully extracted thousands of messages from Slack and Discord, along with Outlook draft emails. This provided rare visibility into the attackers’ operations.
Key Observations
- Working Hours Pattern
Most activity occurred between 8 AM and 5 PM (UTC+8), aligning with China Standard Time. - Development Artifacts
GitHub links found in Slack messages suggest the group relied on public repositories for:- Process injection techniques
- Encryption utilities
- Service management tools
- Testing Behavior
The same Slack and Discord servers were used both for testing malware and real operations—without clearing logs. - Operator Environment
Evidence indicates use of VMware-based virtual machines for testing and deployment.
Timeline Correlation
The investigation revealed a clear operational timeline:
- July 11, 2024: Outlook account created
- July 22, 2024: FriendDelivery loader developed
- January 2025: Active deployment detected
This tight timeline suggests a structured and deliberate development cycle.
Conclusion
GopherWhisper represents a modern evolution of APT tactics—combining custom malware development with the abuse of legitimate services. Its reliance on Go-based tooling and cloud platforms highlights a growing trend in stealth-focused cyber espionage.
The group’s operational discipline, modular toolkit, and clever use of trusted services make it a significant threat, particularly to government entities and high-value targets.
Our Opinion on the GopherWhisper Case
GopherWhisper is a clear example of how modern threat actors are shifting away from traditional infrastructure and toward “living off trusted platforms.” By leveraging services like Slack, Discord, and Microsoft Outlook, the group effectively hides in plain sight—making conventional detection methods far less effective.
What stands out most is not just the technical sophistication, but the operational carelessness in certain areas. The reuse of communication channels for both testing and live operations, along with failure to delete logs, provided researchers with a rare and valuable window into the group’s internal workflows. This suggests that while the developers are technically capable, their operational security (OpSec) is not flawless.
Another important takeaway is the increasing role of Go in malware development. Its cross-platform capabilities and ease of compilation make it highly attractive for threat actors building scalable toolkits.
From a defensive standpoint, organizations must rethink their trust boundaries. Traffic to legitimate services can no longer be assumed safe. Behavioral monitoring, anomaly detection, and zero-trust principles are becoming essential.
Overall, GopherWhisper reinforces a critical reality: attackers are evolving faster than traditional defenses, and visibility—not just prevention—is now the key battleground in cybersecurity.
