Emergence of GopherWhisper APT
A sophisticated cyber espionage group known as GopherWhisper has been identified by cybersecurity firm ESET. This advanced persistent threat (APT) group, suspected to be operating from China, leverages legitimate services for its command-and-control (C&C) activities, enabling data exfiltration without raising immediate suspicion. The group’s activities have been traced back to at least November 2023.
Investigation and Discovery
The presence of GopherWhisper was first detected in January 2025 during a probe into a Go-based backdoor found within a Mongolian government system. This investigation led to the discovery of multiple backdoors, custom loaders, and injectors linked to the group. The primary backdoor, named LaxGopher, utilizes Slack for C&C communications, allowing it to execute commands, extract data, and deploy additional payloads on compromised systems.
Furthermore, the group employs an injector called JabGopher, which facilitates the execution of these backdoors within the memory of a svchost.exe process. This technique ensures the persistence of their operations while evading conventional security defenses.
Advanced Tools and Techniques
GopherWhisper’s toolkit includes various sophisticated tools. CompactGopher, a file collector written in Go, compresses files and transmits them through file.io’s public REST API. Another tool, RatGopher, differs from LaxGopher by using Discord for C&C communications, enabling it to open command prompts and manage file transfers.
Additionally, the group utilizes SSLORDoor, a C++ backdoor that communicates via raw TCP sockets using OpenSSL BIO. This malware can conduct a range of operations, including hidden command prompt processes and file manipulation.
Implications and Future Outlook
The investigation by ESET also revealed the deployment of the BoxOfFriends backdoor, which uses the Microsoft Graph API for draft message communications in Outlook, and the FriendDelivery DLL injector. These tools were specifically used against a Mongolian governmental entity, infecting approximately 12 systems, with further potential victims likely.
Due to distinct characteristics and lack of similarities with existing APT groups, ESET has categorized GopherWhisper as a new entity, attributing this unique toolset to them. The identification of this APT underscores the evolving nature of cyber threats originating from state-linked actors, emphasizing the need for robust cybersecurity measures.
As geopolitical tensions influence cyber activities, monitoring advancements in cyber threats like GopherWhisper remains crucial for global cybersecurity resilience.
