GopherWhisper: China's New APT Hides 7 Backdoors Inside Slack, Discord and Outlook

ESET researchers attributed GopherWhisper to a China-aligned threat actor with high confidence based on multiple independent signals converging on a consistent picture. The most direct evidence came from an operational security failure: GopherWhisper operators hardcoded authentication credentials into the malware itself, allowing ESET to access the attacker-controlled Slack workspace and Discord server and recover the full history of C2 communications.

From the recovered infrastructure, ESET extracted 6,044 Slack messages dated from August 21, 2024 through the time of discovery, and 3,005 Discord messages from November 16, 2023 onward. Timestamp analysis of these messages showed operator activity concentrated between 8 AM and 5 PM UTC+8 — China Standard Time. The Slack client locale metadata for the attacker-controlled account was set to zh-CN, the simplified Chinese locale identifier used in the People's Republic of China. Virtual machine boot times recovered from the C2 session metadata were consistent with the same timezone. No other geographic or linguistic attribution signals contradicting Chinese origin were identified.

GopherWhisper does not appear in prior MITRE ATT&CK group naming, Google TAG cluster designations, or Mandiant APT numbering, indicating this is a newly identified actor. Tradecraft similarities to other China-aligned APTs targeting Central Asia and Mongolian government institutions were noted by ESET, but no formal cluster merge has been announced. No government indictment or APT designation has been issued. The targeting of a Mongolian government entity is consistent with Chinese intelligence collection priorities in Central Asia aligned with Belt and Road Initiative regional relationships.

GopherWhisper's technique stack maps cleanly across initial access, execution, persistence, defense evasion, command-and-control, and exfiltration phases. The group's primary strength is defense evasion — specifically the systematic abuse of trusted enterprise platforms that network security tools are configured to trust, not inspect.

**Initial Access (TA0001):** The specific vector used against the Mongolian government target has not been publicly confirmed by ESET. DLL side-loading as the execution mechanism implies a prior persistent foothold, suggesting spear-phishing or watering-hole delivery of the initial dropper. This phase remains unconfirmed in published research.

**Execution & Persistence (TA0002/TA0003):** T1055.001 (Process Injection — DLL Injection) via JabGopher, which launches svchost.exe and injects LaxGopher as whisper.dll. T1059.003 (Windows Command Shell) is used by both LaxGopher and RatGopher to execute operator commands. T1574.002 (DLL Side-Loading) underpins the JabGopher and FriendDelivery mechanisms.

**Defense Evasion (TA0005):** T1102.002 (Web Service — Bidirectional Communication) is the central evasion technique — all C2 traffic passes through Slack, Discord, or Microsoft Graph API, which are whitelisted on enterprise firewalls. T1218 (Signed Binary Proxy Execution) via the use of svchost.exe as the injection host.

**Command and Control (TA0011):** Three parallel channels via T1102: Slack (LaxGopher), Discord (RatGopher), Microsoft Graph API Outlook drafts (BoxOfFriends), with SSLORDoor providing a direct TCP fallback on port 443.

**Exfiltration (TA0010):** T1048 (Exfiltration Over Alternative Protocol) — CompactGopher compresses targeted files and uploads via file.io, a legitimate public file-sharing service.

GopherWhisper's toolkit shows deliberate architectural redundancy: three separate backdoors operating three separate C2 channels ensure that losing access to any single platform does not sever operator control. The toolkit was purpose-built in Go — a language increasingly favoured by state-sponsored APTs for its cross-platform compilation, small binary size, and relative rarity in corporate endpoint detection signatures compared to C or C++.

LaxGopher connects to a private Slack workspace, polls designated channels for commands, executes them via cmd.exe, and posts results back to the same channel. RatGopher performs the identical function using a private Discord server. BoxOfFriends uses the Microsoft Graph API to read commands from draft emails in an attacker-controlled Outlook account and write results back to new draft emails — a technique that generates zero outbound email traffic, leaving no discoverable sent-mail trail. SSLORDoor is a C++ backdoor providing direct socket communication over port 443 using raw OpenSSL, serving as a fallback when cloud service routes are unavailable. CompactGopher handles exfiltration — compressing targeted files before uploading to file.io. JabGopher is the primary injector and FriendDelivery is the DLL loader for BoxOfFriends.

The Outlook C2 account barrantaya.1010@outlook.com was created July 11, 2024. FriendDelivery was compiled exactly 11 days later on July 22, 2024 — indicating rapid, structured operationalisation of new C2 infrastructure. Full IOCs including file hashes are published by ESET at github.com/eset/malware-ioc/tree/master/gopherwhisper.

GopherWhisper's confirmed operational history spans at least 29 months, from the earliest recovered Discord C2 messages in November 2023 to the ESET public disclosure in April 2026. The group operated without any public detection or attribution during this entire period — a duration that reflects both the efficacy of the LoLS evasion approach and the absence of endpoint telemetry capable of detecting behavioural C2 patterns over trusted enterprise platforms.

The primary disclosed campaign targeted a government entity in Mongolia, where ESET confirmed 12 compromised systems. The access timeline reconstructed from C2 messages indicates persistent access to Mongolian government systems across multiple months, with operators issuing commands, running file enumeration across drive structures, and exfiltrating targeted materials through CompactGopher's file.io pipeline. C2 traffic analysis of the Discord and Slack servers revealed victim telemetry from "dozens" of additional compromised systems not yet publicly identified — indicating GopherWhisper's operational footprint extends substantially beyond the single confirmed case.

GopherWhisper's confirmed targeting centres on government entities in Central Asia, with Mongolia as the primary publicly disclosed victim. The choice of Mongolia aligns with documented Chinese intelligence collection priorities: Mongolia borders both China and Russia, maintains strategic independence between the two powers, and holds significant intelligence value for Beijing around diplomatic communications, mineral resource negotiations, and political positioning.

The "dozens of victims" identified via C2 traffic analysis have not been publicly attributed by ESET. Based on the targeting pattern and the operational resources invested in a three-platform C2 system, the additional victims are assessed with moderate confidence to include other Central Asian government entities, potentially diplomatic missions, or organisations with strategic intelligence value for Chinese state priorities. The use of Go-based backdoors with Slack and Discord C2 is also consistent with tradecraft observed in China-aligned APT operations against Western government contractors and defence industrial base targets — sectors that should treat GopherWhisper's IOC set as immediately relevant.

The [CyberAv3ngers IRGC campaign targeting PLC infrastructure across US critical infrastructure sectors](/blog/cyberav3ngers-irgc-iran-plc-critical-infrastructure) demonstrated that nation-state actors increasingly invest in purpose-built tooling for specific evasion objectives — GopherWhisper represents the same pattern of sustained state-sponsored investment in bespoke C2 infrastructure. The [North Korea supply chain campaign compromising 1,700 packages](/blog/north-korea-supply-chain-1700-packages) similarly showed the willingness of state actors to build out operational infrastructure over multi-year timelines without detection.

GopherWhisper's LoLS C2 approach means traditional network-layer defences — domain blocklists, JA3 TLS fingerprinting, C2 framework signatures — provide no detection value. Effective detection requires process-level behavioural telemetry, specifically around what processes are making API calls to Slack, Discord, and Microsoft Graph API endpoints.

The key detection principle: Slack, Discord, and Microsoft Graph API connections from svchost.exe, rundll32.exe, or any non-standard application binary are anomalous and should trigger immediate investigation. These processes have no legitimate reason to initiate outbound connections to consumer messaging platforms. ESET's full IOC set at github.com/eset/malware-ioc/tree/master/gopherwhisper should be imported into all threat intelligence platforms as a first action.

GopherWhisper APT is a China-aligned threat actor that has been actively compromising government networks for at least three years by routing all C2 traffic through Slack, Discord, and Microsoft 365 Outlook — platforms that enterprise firewalls are structurally configured to trust. ESET's April 23, 2026 disclosure is the first public attribution, but the group's C2 infrastructure reveals dozens of victims beyond the confirmed Mongolian government target. The detection gap is architectural, not technical: traditional network-layer controls provide zero visibility into this C2 technique. Defenders must prioritise process-level behavioural analytics, import ESET's full IOC set at github.com/eset/malware-ioc/tree/master/gopherwhisper into all detection platforms now, and hunt for svchost.exe loading unsigned DLLs — whisper.dll is the first IOC to query.