GoKawiilA previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities.
Active since at least 2023, the hackers have been linked to China and are estimated to have compromised dozens of victims.
In a campaign identified by cybersecurity company ESET, the threat actor targeted a government entity in Mongolia and deployed a malware set with multiple backdoors that used Slack, Discord, and the Microsoft Graph API for command-and-control (C2) communication.
GopherWhisper also used a custom exfiltration tool to compress stolen data and upload it to the File.io file-sharing service.
In January 2025, ESET detected the first GopherWhisper backdoor that was written in Go and named it LaxGopher. The malware can retrieve commands from a private Slack server, execute them using the Command Prompt, and download new payloads.
Further investigation revealed that the threat actor had deployed additional malicious tools, most of them Go-based:
RatGopher – Go-based backdoor that uses a private Discord server for C2, executing commands and posting results back to a configured channel.
BoxOfFriends – Go-based backdoor that leverages the Microsoft 365 Outlook (Microsoft Graph API) to create and modify draft emails for C2 communication.
SSLORDoor – C++ backdoor using OpenSSL BIO over raw sockets (port 443), capable of executing commands and performing file operations (read, write, delete, upload) and drive enumeration.
JabGopher – Injector that launches svchost.exe and injects the LaxGopher backdoor (disguised as whisper.dll) into its memory.
... continue reading