TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

ESET WeLiveSecurity

GopherWhisper: A burrow full of malware

2026-04-23 · Read original ↗

ATT&CK techniques detected

10 predictions
T1055.001Dynamic-link Library Injection
97%
“laxgopher, are written in go. since the set of malware we found has no code similarities linking it to any known threat actor, and there was no overlap in tactics, techniques, and procedures ( ttps ) with any other group, we decided to attribute the tools to a new group. we chose…”
T1071Application Layer Protocol
75%
“publishes the results back to the slack channel configured in the code. laxgopher can also download further malware to the compromised machine. - compactgopher : a go - based file collection tool deployed by operators to quickly compress files from the command line and automatica…”
T1102.002Bidirectional Communication
71%
“entity : - frienddelivery : a malicious dll file serving as a loader and injector that executes the boxoffriends backdoor. - boxoffriends : a go - based backdoor that makes use of the microsoft 365 outlook mail rest api from microsoft graph to create and modify draft email messag…”
T1071.003Mail Protocols
68%
“apart from c & c communication, ratgopher ’ s discord channel also contained go source code that may have been an early iteration of the backdoor. additionally, we were able to obtain details about operator machines, since they often used them to run enumeration processes for tes…”
T1583.006Web Services
65%
“aligned apt group we ’ ve named gopherwhisper that targeted a governmental entity in mongolia. - the group ’ s toolset includes custom go - based backdoors laxgopher, ratgopher, and boxoffriends, the injector jabgopher, the exfiltration tool compactgopher, the loader frienddelive…”
T1219Remote Access Tools
64%
“publishes the results back to the slack channel configured in the code. laxgopher can also download further malware to the compromised machine. - compactgopher : a go - based file collection tool deployed by operators to quickly compress files from the command line and automatica…”
T1583.006Web Services
38%
“gopherwhisper : a burrow full of malware eset researchers have discovered a previously undocumented china - aligned apt group that we named gopherwhisper. the group wields a wide array of tools mostly written in go, using injectors and loaders to deploy and execute various backdo…”
T1584.001Domains
34%
“##offriends – on july 22nd, 2024. conclusion our investigation into gopherwhisper revealed an apt group that uses a varied toolset of custom loaders, injectors, and backdoors. by analyzing the c & c communications obtained from the attacker - operated slack and discord channels, …”
T1588.001Malware
32%
“gopherwhisper : a burrow full of malware eset researchers have discovered a previously undocumented china - aligned apt group that we named gopherwhisper. the group wields a wide array of tools mostly written in go, using injectors and loaders to deploy and execute various backdo…”
T1071.001Web Protocols
31%
“china standard time. furthermore, the locale for the configured user in slack metadata was also set to this time zone. we therefore believe that gopherwhisper is a china - aligned group. based on our investigation, the group ’ s slack and discord servers were first used to test t…”

Summary

ESET Research has discovered a new China-aligned APT group that we’ve named GopherWhisper, which targets Mongolian governmental institutions