{
	"id": "0604c908-6b39-4032-b3a9-da7df9180b36",
	"created_at": "2026-05-01T03:09:21.674571Z",
	"updated_at": "2026-05-01T03:10:50.90786Z",
	"deleted_at": null,
	"sha1_hash": "db638f5be9aa336af8dc183bc1758322530447ce",
	"title": "",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "2026-04-20T12:48:45Z",
	"file_modification_date": "2026-04-20T12:49:03Z",
	"file_size": 1109406,
	"plain_text": "ESET Research white papers\r\n23 April, 2026\r\nGopherWhisper:\r\nA burrow full of\r\nmalware\n\n1 GopherWhisper: A burrow full of malware\r\nTABLE OF CONTENTS\r\nEXECUTIVE SUMMARY ................................................................................................................................................ 2\r\nGOPHERWHISPER PROFILE ........................................................................................................................................ 2\r\nOVERVIEW ..................................................................................................................................................................... 2\r\nVictimology ......................................................................................................................................................................... 3\r\nAttribution ........................................................................................................................................................................... 3\r\nAbusing legitimate messaging services ...................................................................................................................... 4\r\nGOPHERWHISPER’S TOOLSET ...................................................................................................................................8\r\nJabGopher ............................................................................................................................................................................ 8\r\nLaxGopher ........................................................................................................................................................................... 9\r\nCompactGopher............................................................................................................................................................... 10\r\nRatGopher ......................................................................................................................................................................... 12\r\nSSLORDoor ........................................................................................................................................................................ 14\r\nFriendDelivery .................................................................................................................................................................. 16\r\nBoxOfFriends .................................................................................................................................................................... 18\r\nCONCLUSION .............................................................................................................................................................. 20\r\nIOCS .............................................................................................................................................................................. 20\r\nFiles .................................................................................................................................................................................... 20\r\nNetwork ............................................................................................................................................................................. 21\r\nMITRE ATT\u0026CK TECHNIQUES ................................................................................................................................... 21\r\n \r\nAuthor:\r\nEric Howard\n\n2 GopherWhisper: A burrow full of malware\r\nEXECUTIVE SUMMARY\r\nESET researchers have discovered a previously undocumented China-aligned APT group that we have\r\nnamed GopherWhisper. The group wields a wide array of tools mostly written in Go, using injectors and\r\nloaders to deploy and execute various backdoors in its arsenal. For C\u0026C communication and exfiltration,\r\nGopherWhisper abuses legitimate services. In the observed campaign, the threat actors mainly targeted a\r\ngovernment entity in Mongolia. During our analysis, we identified multiple Slack and Discord API tokens\r\nand were able to use them to extract C\u0026C messages from those services, which gave us invaluable insights\r\ninto the inner workings of the group.\r\nKey findings:\r\n• In January 2025, ESET Research observed a backdoor being deployed against a government entity in\r\nMongolia, leading to the discovery of a new APT group that we have named GopherWhisper.\r\n• The group’s toolset that we initially discovered includes the custom Go-based backdoors LaxGopher\r\nand RatGopher, the injector JabGopher, the exfiltration tool CompactGopher, and a C++ backdoor\r\nSSLORDoor.\r\n• Pivoting on this discovery, we also found a backdoor, which we named BoxOfFriends, and a loader that\r\ninstalls BoxOfFriends – FriendDelivery – both previously publicly undocumented. These had also been\r\ndeployed to compromised systems belonging to the Mongolian governmental institution.\r\n• GopherWhisper leverages legitimate services for C\u0026C communications and exfiltration, notably\r\nDiscord, Slack, Microsoft 365 Outlook, and the file.io service.\r\n• We analyzed C\u0026C traffic from the attacker’s Slack and Discord channels, gaining information about the\r\ngroup’s internal operations and post-compromise activities.\r\nGOPHERWHISPER PROFILE\r\nGopherWhisper is a China-aligned cyberespionage group. It uses custom backdoors – LaxGopher,\r\nRatGopher, SSLORDoor, and BoxOfFriends – and legitimate services such as Discord, Slack, Microsoft\r\nGraph, and file.io for command and control (C\u0026C) communications and exfiltration. GopherWhisper has\r\nbeen active since at least November 2023 and, as of January 2025, ESET telemetry showed that this group\r\nhad been targeting governmental institutions in Mongolia.\r\nOVERVIEW\r\nIn January 2025, using ESET telemetry, we detected a new backdoor, written in Go, at a governmental\r\norganization in Mongolia; we named this backdoor LaxGopher. This prompted us to investigate further,\r\nwhich led to the discovery of several more malicious tools, most of them also written in Go. Looking at\r\nfiles dropped on the compromised system by the attackers, we found JabGopher, an injector that contains\r\nLaxGopher embedded in its resources. Reviewing LaxGopher’s C\u0026C messages from a private Slack server\r\nallowed us to identify a data exfiltration tool that we have named CompactGopher.\r\nWe also unearthed two other backdoors: RatGopher and SSLORDoor. RatGopher leverages Discord for\r\ncommunication with the operators. SSLORDoor, unlike the rest of the tools that we had discovered at that\r\npoint, was not written in Go but in C++. It implements an OpenSSL layer along with obfuscated RC4\r\nencryption to pass messages back and forth with the operators.\r\nThe discovery of the initial toolset later allowed us to pivot in ESET telemetry and to uncover a suspicious\r\nDLL file. This file, FriendDelivery, is an injector that executes yet another Go-based backdoor created by\r\nthe GopherWhisper group. We named the newly discovered backdoor BoxOfFriends, from the name of the\r\nGo package in the backdoor that contains all the malicious code. Unlike the previously discovered\r\nbackdoors, this new one makes use of the Microsoft 365 Outlook mail REST API from Microsoft Graph to\r\ncreate and modify draft email messages for its C\u0026C communications. During our analysis, we obtained the\r\ntokens used for interacting with the API and extracted the contents of the Inbox, Drafts, and Deleted\r\nItems folders of the email account.\n\n3 GopherWhisper: A burrow full of malware\r\nVictimology\r\nAccording to ESET telemetry, approximately 12 victim systems impacted by the backdoors are part of a\r\nMongolian governmental institution.\r\nBy analyzing the C\u0026C traffic from the attacker-operated Discord and Slack servers, we estimate that\r\ndozens of other victims were affected too, though we don’t have any information about their geolocation\r\nor verticals.\r\nFigure 1 shows a timeline of the appearance of GopherWhisper tools on one of the systems at the targeted\r\nMongolian institution, according to ESET telemetry.\r\n \r\nFigure 1. Timeline of GopherWhisper tools first appearing in ESET telemetry\r\nAttribution\r\nDue to the lack of similarities in code, TTPs, and targeting to any existing APT group, we have created\r\nGopherWhisper as a new group and attribute the described toolset to it.\r\nThe name GopherWhisper was chosen because the majority of the group’s tools were written in the Go\r\nlanguage, which has a gopher as its mascot, and based on the whisper.dll filename of a DLL that is side-loaded.\r\nWe believe that GopherWhisper is a China-aligned group based on the following: the LaxGopher backdoor\r\ncontains a hardcoded Slack token, which allowed us to obtain the metadata JSON object from the\r\nchannels in the Slack server with the locale key zh-CN, used for China. Locales in Slack are not defined by\r\nthe server but are configured either by each user to format message text or globally in the Slack\r\nworkspace. The presence of the zh-CN locale therefore likely means that operators are China-aligned and\r\nare using the national Beijing time zone (UTC+8), otherwise known internationally as China Standard\r\nTime.\n\n4 GopherWhisper: A burrow full of malware\r\nGopherWhisper is characterized by the following:\r\n• A toolset consisting of a custom C++ backdoor that we have named SSLORDoor, malicious DLLs\r\nFriendDelivery and JabGopher, and custom Go-based tools:\r\n° LaxGopher,\r\n° CompactGopher,\r\n° RatGopher, and\r\n° BoxOfFriends.\r\n• Use of legitimate messaging services for C\u0026C communications:\r\n° Discord,\r\n° Slack, and\r\n° Microsoft 365 Outlook.\r\n• Use of the legitimate file.io file sharing service for data exfiltration.\r\nAbusing legitimate messaging services\r\nWhile analyzing GopherWhisper’s toolset, we found that the backdoors LaxGopher, RatGopher, and\r\nBoxOfFriends were all configured with hardcoded credentials for Slack, Discord, and Microsoft 365\r\nOutlook, respectively. Using the credentials, we were able to successfully connect to the associated\r\naccounts and discovered that the operators were using these services as C\u0026C servers. In total, we\r\nrecovered 9,098 messages from these services, giving us insight into commands, uploaded files, and\r\ntesting activities.\r\nSlack and Discord communication\r\nOur analysis of the attacker’s C\u0026C server traffic revealed that the LaxGopher and RatGopher operators\r\nwere actively using Slack and Discord to issue commands. We retrieved and analyzed a total of 6,044 Slack\r\nmessages going back to August 21, 2024, and 3,005 Discord messages with the earliest dating from\r\nNovember 16, 2023. Timestamp inspection of these Slack messages showed that the commands were\r\nissued between 12 a.m. and 12 p.m. UTC, while Discord message history revealed commands being sent\r\nbetween 12 a.m. and 2 p.m. UTC. As shown in Figure 2 and Figure 3, by modifying the times to UTC+8, a\r\ntime zone located in regions relating to the locale zh-CN found in the metadata of the Slack server, aligns\r\nwell with working hours in a UTC+8 time zone, notably increasing the suspicion that the group is most\r\nlikely China-aligned. Based on these figures we can also see that, under UTC+8, most activity occurred\r\nbetween 8 a.m. and 5 p.m.\r\n \r\nFigure 2. Slack messages every hour\n\n5 GopherWhisper: A burrow full of malware\r\n \r\nFigure 3. Discord messages every hour\r\nInterestingly, the same Slack and Discord servers were apparently first used by the operators to test the\r\nfunctionality of the backdoors, and then later, without clearing the logs, also used as C\u0026C servers for the\r\nLaxGopher and RatGopher backdoors on multiple compromised machines. Thanks to that, we were able to\r\nobtain not only information about the attackers’ post-compromise activities, but also about the attackers’\r\nenvironment, as they uploaded files from their testing systems during the testing phase.\r\nLaxGopher’s Slack channel\r\nBased on the messages we collected, LaxGopher C\u0026C communications, which began on August 21, 2024,\r\nwere mainly being used to send commands for disk and file enumeration. If these enumerations caused a\r\nlarge feed of data, results were written to files and uploaded to the Slack server.\r\nIn addition to the built-in LaxGopher commands, and based on the Slack message logs, we saw the\r\nfollowing tools and commands being pushed and executed via the hidden command prompt run by the\r\nbackdoor:\r\n• An old tool named rp.exe (SHA-1: 039EB329A173FCE7EFECA18611A8F2C0F7D24609) that executes a file\r\nwhile using the token impersonation technique.\r\n• WebBrowserPassView, a NirSoft tool that extracts stored web browser credentials to the file path\r\nspecified with the /stext argument. According to the backdoor commands, the tool was executed via\r\nrp.exe.\r\n• CompactGopher, a tool to compress, encrypt, and exfiltrate data, covered later in this white paper.\r\n• The PowerShell command get-mppreference | select exclusionpath | ft -autosize run with\r\nadministrative privileges, to check for Windows Defender exclusion paths and thus identify paths\r\nwhere additional payloads could be downloaded without being scanned.\r\nIn addition to the files uploaded to the Slack C\u0026C server from operator machines, we also found messages\r\nwith several interesting GitHub repositories with malicious code, as listed in Table 1. Based on the source\r\ncode in each repository, we assume that these repositories could have been used as a resource for learning\r\nand a reference during development.\r\nTable 1. GitHub repositories found within test uploads from operators\r\nRepository Description\r\nhttps://github.com/kardianos/service Install, start, and related activities to service daemons for all\r\noperating systems with Go.\r\nhttps://github.com/NHAS/stab Go local and remote process injections for x86 and x64.\n\n6 GopherWhisper: A burrow full of malware\r\nRepository Description\r\nhttps://github.com/kirinlabs/utils Go encryption and compression utilities, among others.\r\nhttps://github.com/wumansgy/goEncrypt Various encryption methods implemented in Go.\r\nRatGopher’s Discord channel\r\nThe earliest messages we obtained from the RatGopher Discord server consisted of cleartext and base64-\r\nencoded strings used for testing communication and commands. Then, in late December 2024, we began\r\nseeing encryption play a role, with the obtained base64-encoded messages being stored as ciphertext.\r\nWe also found Go source code uploaded to the Discord channel. The operators were most likely testing\r\nthe C\u0026C mechanism by uploading assorted files from their testing systems and ended up inadvertently\r\nsharing information about their activities with us. Based on the developer path\r\n~/go/src/discord/bot_client/test1, it’s clear that this code is a test variant. The code itself was found\r\nin an immature state where it was also apparent that it had limited capabilities. Within the source code\r\nwe also saw creation of a shell through /bin/bash, demonstrating that it was intentionally written for a\r\nLinux-based host. We can safely assume that this code is an early iteration of RatGopher.\r\nRatGopher’s operators also left behind command result messages in the Discord channel, giving us a sense\r\nof what RatGopher may look like at a directory level, along with timestamps, as seen in Figure 4.\r\n \r\nFigure 4. Directory of RatGopher\r\nSince RatGopher’s operators often ran enumeration commands on their own machines for testing\r\npurposes, we were able to obtain details about their machines, as seen in Figure 5. For example, we can\r\nsee that the operator uses a virtual machine based on VMware. Looking at the configured locale and time\r\nzone, it is likely that this machine was configured using the default values during the installation process\r\nof Windows. Additionally, from the network adapters, a VPN is being used, probably to circumvent blocks\r\nthat could prevent connectivity to Discord, like blocks placed in China.\n\n7 GopherWhisper: A burrow full of malware\r\n \r\nFigure 5. Operator machine OS enumeration\r\nMicrosoft 365 Outlook communication\r\nBoxOfFriends uses the Microsoft Graph API for communications between the backdoor and the C\u0026C hosted\r\nby a cloud instance of Microsoft 365. Using its hardcoded credentials, we were also able to extract email\r\nmessages that behaved as command and response messages for the BoxOfFriends backdoor. As a result,\r\n43 draft messages, one deleted message, and five inbox messages were obtained. From retrieved\r\nmessages, we discovered that the welcome email message from Microsoft, from when the account was\r\ncreated, had never been deleted. This message confirmed that the account\n\n8 GopherWhisper: A burrow full of malware\r\nbarrantaya.1010@outlook[.]com was created on July 11, 2024, just 11 days before the compilation date of\r\nthe FriendDelivery DLL – the loader used to execute BoxOfFriends – on July 22, 2024. We also noticed that\r\na request for a Microsoft security code, used by Microsoft for authentication purposes, was sent to\r\nTa\u003credacted_by_Outlook\u003e0@outlook.com. Due to how Microsoft obfuscates this, we were unable to\r\ndetermine the full email address.\r\nGOPHERWHISPER’S TOOLSET\r\nA schematic overview of GopherWhisper’s arsenal is provided in Figure 6; individual components are\r\ndetailed in the following subsections.\r\n \r\nFigure 6. GopherWhisper toolset overview\r\nGopherWhisper’s tools use several methods for collecting and exfiltrating data. LaxGopher uses its own\r\nupload command to send files directly to the operator’s Slack server. We also discovered through\r\ndecrypted LaxGopher messages that operators deployed CompactGopher to exfiltrate files in encrypted,\r\ncompressed archives to file.io. RatGopher, on the other hand, has many of these functions built in –\r\nspecifically, RatGopher allows operators to upload to and download from file.io directly without using any\r\nadditional tools deployed on the targeted machine.\r\nJabGopher\r\nJabGopher is an injector that executes the LaxGopher backdoor. JabGopher, found in the file whisper.dll, is\r\nside-loaded by the legitimate whisper.exe, a C++ version of Whisper, a popular automatic speech\r\nrecognition model compiled from whisper.cpp.\r\nJabGopher begins execution through whisper.exe side-loading JabGopher’s whisper.dll from the\r\ndirectory C:\\Program Files\\Internet Explorer\\. On execution, a check is performed to determine the\r\nexistence of C:\\ProgramData\\Microsoft\\EdgeUpdate\\Log\\backup.log, which we believe is dropped by\n\n9 GopherWhisper: A burrow full of malware\r\nthe operators. Should this file not exist, the process quits immediately. Should the check pass, the DLL’s PE\r\nresource AAA with a resource ID of 101 – an encrypted copy of the LaxGopher backdoor – is read from\r\nJabGopher’s whisper.dll. Once the resource is loaded into memory, a custom decryption method is used\r\nto decipher the resulting LaxGopher PE, storing the result in memory. JabGopher then spawns a new\r\ninstance of svchost.exe to be used for process hollowing. After allocating a new section of memory into\r\nsvchost.exe, the decrypted LaxGopher PE is written, executing the backdoor. Figure 7 illustrates\r\nJabGopher’s execution chain.\r\n \r\nFigure 7. JabGopher execution chain overview\r\nLaxGopher\r\nLaxGopher is a Go-based backdoor that interacts with a private Slack server to retrieve C\u0026C messages. On\r\nsuccessful execution of commands, results are sent back to either a main or dedicated Slack channel\r\nconfigured by the backdoor. LaxGopher’s configuration – a Slack API token and a channel ID – is decoded\r\nand decrypted as part of the Go initialization function. Initialization first base64 decodes the stored\r\nconfiguration, with the first 16 bytes containing the initialization vector (IV) and the rest as ciphertext. All\r\nsamples we’ve analyzed perform the same decryption on the ciphertext: using AES-CFB-128 with the key\r\nha,just_kidding! and the IV extracted as described, storing the decrypted Slack token and channel ID at\r\na global memory address for later use.\r\nLaxGopher has the following capabilities:\r\n• interactively execute commands via cmd.exe,\r\n• upload victim data,\r\n• download further malware and adversary tools, and\r\n• change Slack API tokens and channel IDs.\r\nAs mentioned previously, LaxGopher begins by decrypting a Slack API token and channel ID to initialize a\r\nSlack client by leveraging the slack-go library. The channel ID configured in the backdoor points to a main\r\nchannel. The main channel of the operator’s Slack server, by default, sends commands across all connected\r\nLaxGopher instances. Operators can then send a specific backdoor command to this channel, intended for\r\na specific host, to trigger a change of the API key and channel ID. This change ensures that C\u0026C\r\ncommunications to the specified host will be directed to a dedicated channel; see the change command in\r\nTable 2.\r\nLaxGopher, after successfully connecting to Slack, enters an infinite loop awaiting activation. Iterations of\r\nthis loop perform message reads from the main Slack channel, where each message is decrypted in the\r\nsame way as the hardcoded configuration. Once a message of How are you? is posted to the channel and\r\ndecrypted by the backdoor, LaxGopher activates itself and exits the loop.\r\nFollowing activation, confirmation is sent back to the operator in the format of I’m\u003ccomputer_name\u003e\r\nwhere \u003ccomputer_name\u003e is obtained via the GetComputerNameEx API. After activation confirmation, in a\r\nloop, LaxGopher retrieves any new messages from the channel, which can contain any of the commands\r\nshown in Table 2.\n\n10 GopherWhisper: A burrow full of malware\r\nTable 2. LaxGopher commands\r\nCommand\r\nID Argument Description\r\ncooom: Boolean (1) 1 activates the command line interface to execute commands via\r\ncmd.exe.\r\ncommand: String\r\nMessages in the Slack channel with the command:\u003cvalue\u003e syntax are\r\nparsed and executed through the cmd.exe instance that had been opened\r\nby cooom:1. Once the command is completed, the output is sent back to\r\nthe Slack channel as an encrypted message.\r\nupload: Path Uploads a local file with the specified path to the Slack channel.\r\ndownload: Boolean (1) Triggers LaxGopher to list all files in the channel and download them to\r\nthe current working directory, one by one.\r\n\u003chostname\u003e/\r\nchange:\r\n\u003ctoken\u003e,\r\n\u003cchannel\u003e\r\nUpdates the Slack token and channel ID stored in memory for a specific\r\nhost, which directs subsequent C\u0026C communication to a Slack channel\r\ndedicated to that host. This makes it more difficult for analysts to track\r\nC\u0026C messages.\r\nCompactGopher\r\nCompactGopher is a custom Go-based file collection and exfiltration tool deployed by operators to\r\nconveniently compress files specified in command line arguments and automatically exfiltrate them to the\r\nfile.io file sharing service, which allows the uploading of files without requiring any registration. By default,\r\nuploaded files are removed either after being downloaded or after 14 days unless otherwise specified.\r\nAccording to our analysis of the attacker-operated Slack channel, CompactGopher is one of the payloads\r\ndeployed on compromised computers via the LaxGopher backdoor.\r\nCompactGopher has the following features:\r\n• filter files desired for collection by extension and timestamp,\r\n• encrypt archives, and\r\n• upload archives to file.io for later retrieval.\r\nCompactGopher was identified during analysis of LaxGopher and the decrypted chat logs hosted in Slack.\r\nAt the time the download command was triggered, the file temp001.zip was pulled down from Slack into\r\nthe current working directory. After decompressing the archive, the extracted CompactGopher,\r\ntemp001.exe, is executed. Figure 8 demonstrates this activity with result messages printed to the terminal,\r\nstating that a file was successfully uploaded to file.io.\n\n11 GopherWhisper: A burrow full of malware\r\n \r\nFigure 8. CompactGopher execution\r\nCompactGopher is launched through a command line provided with a number of arguments; the\r\narguments are described in Table 3.\r\nTable 3. CompactGopher command line arguments\r\nCommand\r\nID Argument Description\r\n-sourcedir Path to compress, \u003cinputdir\u003e. Path of the source directory to compress.\r\n-outputdir ZIP file path, \u003coutputfile\u003e. Desired absolute path of the compressed archive.\r\n-starttime \u003cstarttime\u003e, in Datetime\r\nformat (YYYY-MM-DD-HH). Datetime stamp to filter based on the file creation date.\r\n-endtime \u003cendtime\u003e, in Datetime format\r\n(YYYY-MM-DD-HH). Datetime stamp to filter based on the file creation date.\r\nOn launch, CompactGopher validates the existence of \u003cinputdir\u003e and nonexistence of \u003coutputfile\u003e.\r\nFiles in \u003cinputdir\u003e are collected recursively and filtered first through hardcoded extensions: .doc, .docx,\r\n.jpg, .xls, .xlsx, .txt, .pdf, .ppt, and .pptx. Matching files, with a creation timestamp between\r\n\u003cstarttime\u003e and \u003cendtime\u003e, are added to the ZIP file; the compressed archive is then written to the\r\nprovided output path.\r\nThe archive is encrypted by CompactGopher, using AES-CFB-128 with a hardcoded key of\r\nkorehappyhappyhappy+821054197565 and a randomly generated string as the 16-byte initialization vector.\r\nThe result of this encryption prepends the IV as the first 16 bytes to the ciphertext that is then written to a\r\nnew file with the same filename as the compressed archive, appending the .enc extension.\r\nThe encrypted file is then uploaded to file.io using the publicly available REST API. The response containing\r\nthe URL of the uploaded file is written on the command line. After a successful upload, CompactGopher\r\nruns its own cleanup process by deleting both the cleartext and encrypted archives.\n\n12 GopherWhisper: A burrow full of malware\r\nRatGopher\r\nRatGopher is a Go-based backdoor that employs discordgo, an open-source Discord client library, to\r\ninteract with the Discord API connecting to a private Discord server for its C\u0026C. Unlike LaxGopher,\r\nRatGopher is developed with file.io functionality using the REST API for uploads and downloads. Internal\r\nto RatGopher, a custom module that provides all RatGopher’s Discord, file.io, and command-based\r\nfunctionality is called Rat0813; thus, the name we chose for this backdoor, RatGopher.\r\nRatGopher has the following capabilities:\r\n• execute a new instance of cmd.exe, and\r\n• upload to and download from file.io.\r\nRatGopher supports two AES-128 modes: CFB and CBC. CFB is only used when decrypting hardcoded\r\nembedded strings, and when updating the key and IV for CBC mode. CBC is only used when encrypting or\r\ndecrypting messages to and from the operator.\r\nAt first startup, the hardcoded base64-encoded key V1dUUl4OVAEEUFUBVhJRCVFcB1VWCQsCUFtWUQBUXRY= is\r\nused with CFB mode to decrypt another hardcoded base64-encoded string that contains the values of the\r\nDiscord token, channel ID, and user ID. MD5 sums of the channel ID and user ID are respectively used as\r\nthe key and IV to initialize both CFB and CBC modes used throughout RatGopher.\r\nThe operator may choose to rotate the key and IV of the CBC mode used for decrypting command\r\nmessages from the Discord channel, as shown in Figure 9. To do so, a raw message in the format Hello,\r\nthis is \u003cname\u003e speaking...\\n||\u003cbase64\u003e|| is posted to the channel, where \u003cname\u003e corresponds to a\r\nhardcoded name in the backdoor. Matching the name in this message with the hardcoded name notifies\r\nRatGopher that it is time to rotate its CBC encryption key and IV for future command message decryption.\r\nTo obtain the updated key and IV for CBC mode, RatGopher first base64 decodes the string between the\r\n|| delimiters, then decrypts the result using the previously mentioned CFB mode. Once decrypted, the\r\nCBC key is updated with the first 16 bytes and the IV with the next 16 bytes.\r\nOn first execution of the RatGopher backdoor, the decrypted Discord token, channel ID, and user ID values\r\nare provided to establish a new Discord session. In the event that a session cannot be established, a retry\r\naction is performed, retrying up to a maximum of three times. After each failed attempt to build a session,\r\nthe thread sleeps for 10 seconds.\r\nFollowing successful creation of a Discord session, RatGopher publishes a raw message of Hello,\r\neveryone!\\nI'm coming! to the channel. This indicates that the backdoor is active and ready to receive\r\ncommands. After notifying the operator, the initialization of a new message handler for Discord\r\nWebSocket API events is triggered. The purpose of this handler is to monitor new messages published to\r\nthe Discord channel.\n\n13 GopherWhisper: A burrow full of malware\r\n \r\nFigure 9. AES-128-CBC key rotation\r\nReceipt of a new message creates an internal thread notification to begin processing that message. The\r\ningested messages passed to CBC decryption operations are then deserialized into a structured object\r\nconsisting of the command ID type and content as arguments.\r\nAll messages use the following structure:\r\ntype bot_Packet struct {\r\n int16 type\r\n string content\r\n}\n\n14 GopherWhisper: A burrow full of malware\r\nCommand IDs (type) are then parsed, leading to the execution of a command and its arguments (content)\r\non the victim machine, as seen in Table 4. On command completion, the resulting information is sent back\r\nto the operator using a response ID shown in Table 5, depending on what had been executed.\r\nTable 4. RatGopher commands\r\nCommand ID Description\r\n1001\r\nInitializes the terminal service and launches an instance of cmd.exe. If a terminal service\r\nhas not already been created, creates a new terminal service passing data through Go\r\nchannels.\r\n1002 Sends a command string to the terminal, to be executed via the spawned cmd.exe.\r\n2001 Executes the download service to pull files from file.io to the victim. Confirms success or\r\nfailure via MD5.\r\n3001 Executes the upload service to push files to file.io from the victim. Confirms success or\r\nfailure via MD5 sum.\r\n4002 Kill command to stop execution of the backdoor.\r\nTable 5. RatGopher responses\r\nResponse ID Description\r\n1002\r\nSends results from the spawned cmd.exe back to the operator in chunks of 1,024 bytes.\r\nThis is to break up very long messages in respect to Discord’s message length\r\nlimitations.\r\n1011 Terminal service has been shut down.\r\n1012 Terminal service started successfully.\r\n1013 Terminal service has been activated successfully and is awaiting further commands.\r\n2002 Error during download/upload; for example, the file does not match the MD5.\r\n2004 Upload succeeded.\r\n3011 Download failed.\r\n3013 Download succeeded.\r\n4001 Updated the AES-CBC-128 encryption keys and IV.\r\nSSLORDoor\r\nUnlike the majority of GopherWhisper’s toolset, the SSLORDoor backdoor is not written in Go, but in C++.\r\nIt uses OpenSSL BIO for communication via raw TCP sockets with messages sent on port 443. Due to the\r\nnature of SSLORDoor’s operation, we strongly believe that files for configuring and securing OpenSSL,\r\nopenssl.conf and the certificate cert.pem, are dropped onto victim machines in C:\\Program\r\nFiles\\Common Files\\SSL\\ and are ingested by the backdoor to secure communication to the operator\r\nwith TLS.\n\n15 GopherWhisper: A burrow full of malware\r\nSSLORDoor has the following capabilities:\r\n• spawn a hidden cmd.exe,\r\n• enumerate all drives,\r\n• open, find, read, write, and delete files, and\r\n• create new socket connections.\r\nPrior to SSLORDoor’s main backdoor code execution, the backdoor attempts to delete kdshvfjdjs.dll. If\r\nthis call fails, SSLORDoor proceeds; otherwise, the code terminates immediately. This may be a measure to\r\nprevent SSLORDoor operators from accidentally executing the backdoor on their systems.\r\nPassing the deletion check, sockets are created to connect back to SSLORDoor’s hardcoded C\u0026C IP\r\naddresses, which are stored in two areas of the code. Samples we analyzed always have the same IP\r\naddress in both these locations, which we believe has been done to provide some possible configuration\r\nfor failovers if one address becomes inaccessible.\r\nOnce a TLS socket has been built, SSLORDoor enumerates information about the victim using the API\r\ncalls:\r\n• gethostname to obtain the computer name,\r\n• gethostbyname to obtain the IP address,\r\n• ZwQuerySystemInformation to obtain Windows version and service pack,\r\n• GetOEMCP to obtain the OEM code page ID, and\r\n• GetLocalTime passing the system time as the Datetime stamp.\r\nCommunicating back and forth with the C\u0026C is done by first XORing bytes using the key 0x3F. Resulting\r\nbytes are then passed to an obfuscated RC4 subfunction using the hardcoded key lsk2ksi9f. Lastly,\r\noutput from the RC4 process is then sent to the C\u0026C through the TLS socket on port 443. It is important\r\nto note that this socket is not used for standard HTTPS communication on port 443; data is passed as a\r\nraw, RC4-encrypted byte stream.\r\nAfter successfully sending enumeration data, SSLORDoor begins accepting messages from the operator\r\nthat are decrypted using the process described above. Each message contains one of the commands\r\noutlined in Table 6. In the event that SSLORDoor processes 100 failed attempts to run a command, it\r\ndisplays an error message box containing the error number. Following this, the sockets are closed, and the\r\nprogram quits.\r\nTable 6. SSLORDoor commands\r\nCommand ID Command arguments Description\r\n2 N/A Not implemented.\r\n3 N/A Not implemented.\r\n4\r\nString containing\r\nstandard Windows\r\ncmd.exe commands\r\nInitializes the terminal service spawning a new instance of\r\ncmd.exe. If a terminal service has not already been created, it\r\ncreates a new terminal service passing data through Go\r\nchannels.\r\n5 N/A Enumerates all available drives and volume information,\r\niterating from A: to Z:.\r\n6 Path, filename\r\nFinds a file and sends file size and creation time back to the\r\noperator. This could be used as a method to determine whether\r\na file exists on the victim machine.\n\n16 GopherWhisper: A burrow full of malware\r\nCommand ID Command arguments Description\r\n7 File path Uploads the contents of the specified file to the C\u0026C server.\r\n8 File path Deletes files using the standard DeleteFileW API.\r\n9 File path\r\nDeletes files using SHFileOperationW with flags FOF_SILENT |\r\nFOF_NOCONFIRMATION. This command is perhaps primarily used\r\nfor deleting directories since command 8 is only able to delete\r\nfiles.\r\n10 Filename\r\nA counterpart of command 11. Bytes are obtained from looped\r\ncalls to GetMessageW matching a message ID of 1145. Bytes are\r\ntaken from the received message buffer and written into the\r\nspecified file. If the data fails to be written or does not match\r\nthe expected size check once all messages have been obtained,\r\nthe file is deleted.\r\n11 Byte []\r\nAccepts an array of bytes used with PostThreadMessageW\r\ncontaining the message ID 1145. The message ID of 1145 is used\r\nby command 10 as a way to stream writes to a file.\r\n13 N/A Not implemented.\r\n14 N/A Not implemented.\r\n15 N/A\r\nCloses the global handle created by CreateEvent. This is used\r\nwhen a new CreateThread is called. To ensure that the function\r\nrun in the thread completes first, WaitForSingleObject on\r\nhObject is used. Command 15 provides a manual way to close\r\nthe hObject handle if an unhandled exception occurs within the\r\nthread.\r\n16 Path\r\nCalls ShellExecuteW with the hardcoded value of open, to open\r\nthe file at the specified path. This could lead to execution of a\r\nbinary in the event that the path points to an executable.\r\n17 N/A Not implemented.\r\n18 N/A Not implemented.\r\n20 N/A Not implemented.\r\n21 IP or hostname\r\nCreates a connection to a new socket as a proxy, where bytes\r\nare read through recv and processed onto the stack as C\u0026C\r\nmessages.\r\n22 Byte [] Sends bytes to a proxy socket previously opened by command\r\nID 21.\r\nFriendDelivery\r\nWe discovered FriendDelivery, an injector for the backdoor BoxOfFriends, in February 2025 at the same\r\nvictim where we found LaxGopher, RatGopher, and SSLORDoor. During execution, FriendDelivery copies\r\nitself (wer.dll) and its legitimate executable WerFault.exe (as bdreinit.exe, used to side-load wer.dll)\n\n17 GopherWhisper: A burrow full of malware\r\nto %APPDATA%\\BitDifender\\, masquerading as a Bitdefender application. The new path to bdreinit.exe,\r\nalong with an added argument -s, is then used as the executable path for the bdreinitsvc Windows\r\nservice with a description of Microsoft Defender Reinit Service, which ensures FriendDelivery’s\r\npersistence. When FriendDelivery is executed with the -s argument, data is read from the wer.dll, which\r\ncontains encrypted BoxOfFriends backdoor, that is then injected into a legitimate process.\r\nAt startup, FriendDelivery calculates a CRC32 of the legitimate executable to validate that it is being\r\nexecuted by the expected version of WerFault.exe. We did not observe the WerFault.exe executable but\r\ndiscovered through FriendDelivery that a file named aa1.bat at the path %LOCALAPPDATA%\\Temp is created\r\nwith contents suggesting the existence of the legitimate executable. As seen in Figure 10, this BAT script\r\ncleans up the files from the execution directory after being copied to %APPDATA%.\r\n:try\r\ndel \"\u003cpath_to_executable\u003e.exe\"\r\ndel \"\u003cpath_to_dll\u003e\\wer.dll\"\r\nif exist \"\u003cpath_to_executable\u003e.exe\" goto try\r\ndel %0\r\nFigure 10. Contents of aa1.bat\r\nIn addition, during the BAT file creation process, the directory C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\App\\\r\nBitDefender\\ is created and used as the location to copy FriendDelivery (wer.dll) and the executable\r\nthat originally launched FriendDelivery, a legitimate WerFault.exe renamed as bdreinit.exe.\r\nFriendDelivery, when run with no arguments, installs a new Windows service, bdreinitsvc, using the\r\nmentioned path to bdreinit.exe, as seen in Figure 11.\r\n \r\nFigure 11. Windows service bdreinitsvc\n\n18 GopherWhisper: A burrow full of malware\r\nHowever, when FriendDelivery (wer.dll) is provided with the -s argument, the entirety of wer.dll is read\r\ninto memory to locate the offset in the overlay starting after the raw data marker x2T$x.0i. The\r\nremaining bytes from this offset are then passed through a null-preserving XOR operation using the key\r\n0x56, translating the payload into a Go binary we’ve named BoxOfFriends. FriendDelivery then creates a\r\nnew help.exe process (the legitimate Windows utility that provides help for other commands), where\r\nBoxOfFriends is injected to begin execution.\r\nBoxOfFriends\r\nBoxOfFriends is a backdoor written in Go that uses the Microsoft Graph API for C\u0026C communications. It\r\nemploys draft email messages in Microsoft 365 Outlook for bidirectional communication. As a side effect,\r\nthe backdoor always overwrites the previous message, making historical messages unretrievable.\r\nBoxOfFriends does not persist; it is executed by FriendDelivery and relies on the persistence mechanism\r\nestablished by FriendDelivery.\r\nBefore processing commands, BoxOfFriends sends a new request to create a draft email message in the\r\noperator’s email account. This is used not only to notify the C\u0026C that a new client has connected, but the\r\nID returned in the response is used to read from or write to the appropriate draft email message for this\r\nparticular victim.\r\nSince the backdoor makes use of draft emails as a messaging mechanism with operators, drafts are\r\noverwritten after each new message. Table 7 outlines the commands and responses of the backdoor,\r\nwhere commands and responses are masqueraded as a recipient email along with command arguments in\r\nthe message body. Arguments are extracted using either base64 or Bitcoin’s base58 decoding, then XOR\r\ndecrypted. By default, the XOR key is derived from the last eight characters of the MD5 of the MAC\r\naddress of the victim system’s first network interface, and stored as the subject line for each draft email.\r\nTable 7. BoxOfFriends commands\r\nEmail address Type Argument Description\r\nEnos905@outlook[.]com Command String\r\nBase64 decodes the message and uses the\r\ndefault hardcoded key 0x0C00000A4B8 for RC4\r\ndecryption. The result of the message updates\r\nthe client XOR key used for all other messages.\r\nAdam930@outlook[.]com Response String\r\nCreates the new draft used for passing\r\ncommunications with the message body\r\ncontaining host enumeration data.\r\nSeth912@outlook[.]com Response N/A\r\nSends a heartbeat at intervals, updating the\r\ndraft with host information enumeration\r\nresults.\r\nJared962@outlook[.]com Command Path\r\nUploads by updating the draft email with raw\r\nbytes from the file. Specifically used when a file\r\nis too large, the file is chunked into several\r\nmessages to avoid exceeding maximum\r\nmessage size limits. After each update to the\r\ndraft, the upload operation pauses through a\r\nsleep call, giving operators enough time to\r\nprocess the message.\r\nCainan910@outlook[.]com Response N/A Notifies the C\u0026C that changes to the\r\nencryption key were successful.\n\n19 GopherWhisper: A burrow full of malware\r\nEmail address Type Argument Description\r\nJoashMoriah@outlook[.]com Command Path Downloads a file from the operator to the\r\nvictim path.\r\nAbrahamMoriah@outlook[.]co\r\nm Command String Subcommand processing; see Table 8.\r\nMahalaleel895@outlook[.]co\r\nm Response String\r\nProvides general responses back to the\r\noperator from process execution – for example,\r\nsingle file downloads, displaying the current\r\ndirectory, or when an upload completes\r\nsuccessfully.\r\nTable 8 provides the list of possible commands sent in the message body by the command\r\nAbrahamMoriah@outlook[.]com.\r\nTable 8. AbrahamMoriah@outlook[.]com subcommands\r\nCommand Argument Description\r\nselfdelete N/A\r\nBoxOfFriends obtains a new handle by opening the injected\r\nprocess’s file by using the absolute path from the\r\nGetModuleFileName API. The handle to the injected process is\r\nthen passed to the SetFileInformationByHandle API with a\r\ndisposition to delete. As a result, once the process is terminated,\r\nthe file used in the injection process will be deleted.\r\ncd Path or N/A Changes or displays the current working directory.\r\ndownload Path\r\nUploads a file from the victim to the operator. Restrictions of file\r\nsizes apply due to Microsoft Graph API limits. File limits by the\r\nendpoint are set to 104 MB, in which case the backdoor chunks\r\nthe file into several draft updates to Jared962@outlook[.]com,\r\nwhereas the default is to add the full file to\r\nMahalaleel895@outlook[.]com.\r\nsleep Integer (seconds) Sleeps for the specified period.\r\ninterval Integer (seconds) or\r\nN/A\r\nResponds with the heartbeat interval (default 3,600) when no\r\narguments are provided. Otherwise, sets the specified interval.\r\nportforward String (add, del,\r\nlist)\r\nCreates, deletes, or lists forwarding ports to expose an\r\napplication or service to the network.\r\nAny other\r\nstring String\r\nExecutes the supplied arbitrary command strings, not previously\r\nlisted in the table, through a shell opened on the host. The shell\r\nto be used is determined by the backdoor at runtime; it first\r\nsearches for powershell.exe followed by cmd.exe.\n\n20 GopherWhisper: A burrow full of malware\r\nCONCLUSION\r\nOur investigation of GopherWhisper revealed a China-aligned APT group targeting a governmental entity\r\nin Mongolia, using a varied toolset of loaders, injectors, and backdoors. The first part of the toolset we\r\ndiscovered consisted of several new Go-based tools – CompactGopher, LaxGopher injected by JabGopher,\r\nand RatGopher – and a C++ backdoor, SSLORDoor. Later, we also uncovered a new injector,\r\nFriendDelivery, capable of persisting through a Windows service, and a Go-based backdoor, BoxOfFriends,\r\nexecuted by the injector.\r\nBy analyzing the C\u0026C communications obtained from the attacker-operated Slack and Discord channels,\r\nand from draft Outlook email messages, we were able to gain additional information about the group’s\r\nalignment, inner workings, and post-compromise activities.\r\nIOCS\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\nC72E7540D6F12D74D8E\r\n737B02F31568385F575\r\nD7\r\ntemp001.exe WinGo/Filecoder.JI CompactGopher exfiltration tool.\r\n039EB329A173FCE7EFE\r\nCA18611A8F2C0F7D246\r\n09\r\nrp.exe Win32/HackTool.Agent\r\n.NLV\r\nrp hack tool, used to run a specific\r\nprocess using token\r\nimpersonation.\r\n716554DC580A82CC17A\r\n1035ADD302C07665909\r\n64\r\nwb.exe Win32/PSWTool.WebB\r\nrowserPassView.I\r\nA free password recovery tool that\r\nreveals the passwords stored by\r\nIE, Firefox, Google Chrome, and\r\nOpera.\r\n57C2490E4DB194D3503\r\nEE85635FB1D6F26E8C5\r\n34\r\nintelservice.ex\r\ne WinGo/Agent.VM RatGopher backdoor that uses\r\nDiscord for C\u0026C.\r\nAD7E264EB0841587161\r\n7E45F21D03F7D71E4C3\r\n6F\r\ndelltool.exe Win64/Agent.AGD SSLORDoor backdoor.\r\nFA9E65E58EB8FA41FDE\r\n0A0A870B7D24B298026\r\nD9\r\nwhisper.dll Win64/Injector.UI JabGopher backdoor injector.\r\n5A1BBB40C442B12594A\r\n913431F8C6757A3A66E\r\n8F\r\nwer.dll Win64/Injector.G FriendDelivery loader.\r\n926974FACFD0383C654\r\n58D6EF1F31FBB7C769E\r\n18\r\nN/A WinGo/Agent.AJI BoxOfFriends backdoor.\n\n21 GopherWhisper: A burrow full of malware\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n43.231.113[.]50 N/A Intelligent Tools 2025-03-24 SSLORDoor C\u0026C\r\nserver.\r\nMITRE ATT\u0026CK TECHNIQUES\r\nThis table was built using version 18 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587.001 Develop Capabilities:\r\nMalware\r\nRatGopher and early versions of its source\r\ncode were identified from chat log\r\nanalysis.\r\nBoxOfFriends is a custom backdoor.\r\nT1583.006 Acquire Infrastructure:\r\nWeb Services\r\nGopherWhisper uses Slack, Discord, and\r\nMicrosoft Graph services for its C\u0026C\r\ninfrastructure.\r\nT1588.003\r\nObtain Capabilities:\r\nCode Signing\r\nCertificates\r\nGopherWhisper has used stolen Google\r\nLLC code-signing certificates to sign\r\nRatGopher.\r\nT1588.002 Obtain Capabilities:\r\nTool\r\nGopherWhisper uses the publicly available\r\nWebBrowserPassView.\r\nExecution\r\nT1106 Native API JabGopher and SSLORDoor use API calls\r\nduring execution.\r\nT1129 Shared Modules JabGopher loads a DLL and executes its\r\nfunctions.\r\nPersistence\r\nT1543.003\r\nCreate or Modify\r\nSystem Process:\r\nWindows Service\r\nJabGopher and FriendDelivery each create\r\na Windows service for persistence.\r\nT1574.002 Hijack Execution Flow:\r\nDLL Side-Loading\r\nFriendDelivery uses the filename wer.dll\r\nto be side-loaded by the legitimate\r\napplication WerFault.exe.\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\nJabGopher, LaxGopher, CompactGopher,\r\nRatGopher, and SSLORDoor all have\r\nencryption/decryption capabilities.\r\nT1055.002\r\nProcess Injection:\r\nPortable Executable\r\nInjection\r\nBoxOfFriends is a Go binary that is\r\ninjected into the legitimate Windows\r\nexecutable help.exe.\n\n22 GopherWhisper: A burrow full of malware\r\nTactic ID Name Description\r\nT1036 Masquerading\r\nJabGopher masquerades as a legitimate\r\nWindows service, using the display name\r\nWindows Push Notification Local\r\nService.\r\nT1055.012 Process Injection:\r\nProcess Hollowing\r\nJabGopher can inject LaxGopher into\r\nsvchost.exe.\r\nT1480 Execution Guardrails\r\nJabGopher requires the backup.log file to\r\nexist. FriendDelivery validates the CRC32\r\nof a legitimate process to continue\r\nexecution.\r\nT1134.002\r\nAccess Token\r\nManipulation: Create\r\nProcess with Token\r\nrp.exe can execute a process using the\r\nsame methods as runas.\r\nT1036.004\r\nMasquerading:\r\nMasquerade Task or\r\nService\r\nFriendDelivery disguises its service with\r\nthe name bdreinitsvc, which resembles a\r\nservice related to Bitdefender products.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nFriendDelivery is stored in %AppData%\\App\r\nwithin the legitimate directory of\r\nBitdefender.\r\nCredential\r\nAccess T1555.003\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers\r\nWebBrowserPassView can gather\r\ncredentials from a number of browsers.\r\nDiscovery\r\nT1083 File and Directory\r\nDiscovery\r\nLaxGopher, RatGopher, and SSLORDoor\r\ncan obtain file and directory listings.\r\nT1518 Software Discovery\r\nLaxGopher, RatGopher, and SSLORDoor\r\ncan identify running software on victim\r\nmachines.\r\nT1082 System Information\r\nDiscovery\r\nLaxGopher, RatGopher, and SSLORDoor\r\ncan collect the hostname, OS version, and\r\nOS architecture of a compromised host.\r\nT1007 System Service\r\nDiscovery\r\nLaxGopher, RatGopher, and SSLORDoor\r\ncan enumerate all services running on a\r\ncompromised host.\r\nCollection\r\nT1005 Data from Local\r\nSystem\r\nLaxGopher, RatGopher, SSLORDoor, and\r\nCompactGopher can collect local data\r\nfrom a compromised machine.\r\nT1119 Automated Collection\r\nCompactGopher automates the collection\r\nof data based on command line\r\narguments.\n\n23 GopherWhisper: A burrow full of malware\r\nTactic ID Name Description\r\nT1560.003\r\nArchive Collected Data:\r\nArchive via Custom\r\nMethod\r\nCompactGopher can be used as a utility to\r\ncollect and archive data.\r\nCommand and\r\nControl\r\nT1001.003\r\nData Obfuscation:\r\nProtocol\r\nImpersonation\r\nSSLORDoor can send a raw encrypted byte\r\nstream via the default HTTPS port.\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nLaxGopher, RatGopher, and BoxOfFriends\r\nuse HTTPS for C\u0026C communication.\r\nT1102.002\r\nWeb Service:\r\nBidirectional\r\nCommunication\r\nLaxGopher, RatGopher, and BoxOfFriends\r\nuse Slack, Discord, and Microsoft Graph,\r\nrespectively, for C\u0026C infrastructure.\r\nT1105 Ingress Tool Transfer LaxGopher, RatGopher, and SSLORDoor\r\ncan all download additional files/payloads.\r\nT1132.002 Data Encoding: Non-Standard Encoding\r\nSSLORDoor leverages custom data\r\nencoding to communicate with the C\u0026C.\r\nBoxOfFriends uses base58 and base64\r\nencoding.\r\nT1132.001 Data Encoding:\r\nStandard Encoding\r\nLaxGopher and RatGopher use base64 to\r\nencode messages sent to their C\u0026Cs.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nLaxGopher and RatGopher use AES\r\nalgorithms for encryption.\r\nBoxOfFriends uses XOR encryption.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric\r\nCryptography\r\nSSLORDoor uses TLS encryption for C\u0026C\r\ncommunication.\r\nExfiltration\r\nT1020 Automated Exfiltration CompactGopher is a file uploader that\r\nautomatically exfiltrates data.\r\nT1041 Exfiltration Over C2\r\nChannel\r\nLaxGopher, RatGopher, SSLORDoor, and\r\nBoxOfFriends exfiltrate data to their C\u0026Cs.\r\nT1048.002\r\nExfiltration Over\r\nAlternative Protocol:\r\nExfiltration Over\r\nAsymmetric Encrypted\r\nNon-C2 Protocol\r\nRatGopher and CompactGopher use\r\nHTTPS to exfiltrate data collected from\r\nvictims to file.io.\n\n24 GopherWhisper: A burrow full of malware\r\nTactic ID Name Description\r\nT1567 Exfiltration Over Web\r\nService\r\nLaxGopher leverages Slack to exfiltrate\r\ndata.\r\nRatGopher leverages Discord and file.io to\r\nexfiltrate data.\r\nCompactGopher uses the file.io web\r\nservice to exfiltrate data.",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"pdf"
	],
	"references": [
		"https://web-assets.esetstatic.com/wls/en/papers/white-papers/gopherwhisper-burrow-full-malware.pdf"
	],
	"report_names": [
		"gopherwhisper-burrow-full-malware.pdf"
	],
	"threat_actors": [],
	"ts_created_at": 1777604961,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 1776689325,
	"ts_modification_date": 1776689343,
	"files": {
		"pdf": "https://archive.orkl.eu/db638f5be9aa336af8dc183bc1758322530447ce.pdf",
		"text": "https://archive.orkl.eu/db638f5be9aa336af8dc183bc1758322530447ce.txt",
		"img": "https://archive.orkl.eu/db638f5be9aa336af8dc183bc1758322530447ce.jpg"
	}
}