GopherWhisper
Intelligence Profile
GopherWhisper is a China-aligned APT that routes C2 traffic through legitimate enterprise platforms like Slack, Discord, and Microsoft 365 Outlook to evade detection. Its toolkit includes the LaxGopher backdoor for Slack, RatGopher for Discord, and CompactGopher for data exfiltration via file.io. The group employs DLL side-loading via JabGopher and uses raw OpenSSL socket C2 on port 443 with the SSLORDoor backdoor. GopherWhisper has targeted Mongolian government entities and is assessed to have additional unidentified victims in Central Asia.
Threat Analysis
GopherWhisper is a advanced-sophistication threat actor attributed to China, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, GopherWhisper likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.