A previously unknown advanced persistent threat (APT) group, dubbed GopherWhisper, has been linked to a cyber‑espionage campaign targeting government entities in Mongolia. According to new research from cybersecurity vendor ESET, the actors rely heavily on malware written in the Go programming language and disguise their command-and-control (C2) traffic as legitimate use of mainstream cloud collaboration services.
Who Is GopherWhisper? Understanding the New China-Aligned APT
APT operations are long-running, well-funded intrusions typically associated with state interests or highly organized groups. They focus on stealthy, persistent access rather than quick financial gain. ESET assesses that GopherWhisper fits this profile, based on its choice of targets, the nature of its toolset, and its emphasis on covert data collection.
The campaign came to light in January 2025 when investigators identified a previously undocumented Go backdoor, named LaxGopher, on a workstation inside a Mongolian government agency. Further telemetry and infrastructure analysis showed that LaxGopher was not a one-off sample, but part of a broader modular espionage platform engineered to maintain durable, hidden access to sensitive networks.
Go and C++ Backdoors: A Modular Cyber-Espionage Toolset
One of the defining technical traits of GopherWhisper is its extensive use of Go (Golang)-based malware families. Go enables rapid development of cross-platform binaries and often produces large, monolithic executables that can complicate static analysis and signature-based detection by traditional antivirus tools.
The toolset described by ESET includes several complementary modules:
Injectors and loaders. Lightweight components are used to inject malicious code into legitimate processes or to load the main backdoor directly into memory. This fileless execution strategy reduces forensic artifacts on disk and lowers the chance of being caught by basic endpoint defenses.
Multiple Go backdoor families. These implants connect to remote C2 endpoints, receive operator instructions, execute system commands, harvest host and network information, manage local files, and exfiltrate results. The use of more than one backdoor family suggests an effort to diversify capabilities and complicate incident response.
Dedicated file collection tool. A specialized utility searches for documents and other sensitive files, aggregates them, and prepares them for stealthy exfiltration. This function indicates a clear focus on intelligence gathering rather than disruption or ransomware-style monetization.
C++ backdoor with full remote control. In addition to Go-based tools, GopherWhisper deploys at least one C++ backdoor that grants operators extensive control over infected hosts, including file management, process execution, and deployment of new modules. Using different languages and code bases in one operation is a common tactic in sophisticated APT campaigns to evade single-point detection.
Abusing Discord, Slack and Microsoft 365 Outlook as C2 Channels
A particularly concerning aspect of this campaign is its reliance on legitimate cloud services for C2 communication. ESET reports that GopherWhisper uses:
Discord and Slack. These ubiquitous collaboration platforms are increasingly abused by threat actors worldwide. Because their traffic is encrypted and widely allowed through corporate firewalls, malicious communications can easily blend in with normal usage.
Microsoft 365 Outlook. The group leverages the popularity of Microsoft 365 email in government and enterprise environments to route commands and data through what appears to be regular mail traffic.
file.io for data exfiltration. Stolen documents are uploaded to the file-sharing service file.io, further masking malicious activity as everyday file transfer operations.
Numerous incident reports from vendors such as Microsoft, Mandiant, and others have highlighted how abuse of SaaS and collaboration tools as covert C2 channels is now a mainstream APT tactic. Blocking these services outright is rarely feasible, which gives attackers a significant strategic advantage.
Scale of the Compromise and Indicators of China Alignment
ESET’s telemetry indicates that at least 12 systems within a single Mongolian government organization were compromised by GopherWhisper backdoors. Correlated network traffic to Discord- and Slack-based C2 endpoints suggests the presence of further victims, likely numbering in the dozens and potentially including additional entities both inside and outside Mongolia.
The initial access vector remains unconfirmed. However, based on patterns observed in comparable espionage operations, plausible options include phishing emails, exploitation of unpatched internet-facing services, or abuse of weakly protected accounts (for example, lacking multi-factor authentication). These methods are widely documented in public threat intelligence from organizations such as CISA and ENISA as common entry points for state-aligned actors.
ESET cautiously characterizes GopherWhisper as China-aligned. This assessment is supported by temporal and regional indicators: the primary operator activity in Slack and Discord occurred between 08:00 and 17:00 China Standard Time, and system locale metadata was also aligned with that time zone. While none of these factors alone constitutes definitive attribution, when combined with the strategic targeting of a neighboring state’s government institutions and the operation’s tradecraft, they are consistent with previously reported China-linked espionage behavior.
Defensive Lessons: Why Traditional Perimeter Security Is Not Enough
The GopherWhisper operation underscores that classic perimeter defenses and basic firewall rules are insufficient when attackers blend into encrypted SaaS traffic and leverage legitimate collaboration tools as covert channels.
Key Security Measures for Governments and Critical Organizations
To reduce the risk of similar intrusions, organizations — especially government agencies and operators of critical infrastructure — should prioritize the following controls:
Deep monitoring of SaaS and collaboration platforms. Implement extended logging and behavioral analytics for Slack, Teams, Discord, and Microsoft 365. Look for anomalous logins, unusual data access patterns, and suspicious API usage rather than relying solely on simple block/allow lists.
Deploy EDR/XDR across endpoints and servers. Modern Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) tools can identify suspicious process chains, in-memory code loading, and unusual outbound connections, even when the underlying traffic is encrypted.
Network segmentation and least-privilege access. Limit which systems can reach external collaboration services, enforce least-privilege network and identity policies, and apply strict controls over file-sharing and data export paths.
Strengthen human defenses against phishing. Regular security awareness training, simulated phishing campaigns, and clear incident-reporting procedures remain essential, as human error continues to be one of the most common initial compromise vectors in APT cases.
Vulnerability and patch management. Maintain an aggressive program for updating operating systems, applications, and exposed services, particularly mail servers, VPN gateways, and web-facing applications that are frequently targeted by state-aligned actors.
As GopherWhisper demonstrates, state-level cyber-espionage operations are increasingly sophisticated, quiet, and tightly integrated with everyday cloud services. Organizations that invest early in continuous monitoring, incident response readiness, and strong controls around communication and collaboration platforms will be far better positioned to detect and contain similar APT campaigns before they turn into long-term, high-impact compromises.
