In 2025, we observed a new backdoor, LaxGopher, being deployed within a government institution of Mongolia by a previously unknown China-aligned group that we named GopherWhisper. Following this discovery, we uncovered additional backdoors that use various legitimate cloud-based services as C&C infrastructure. By analyzing the C&C traffic using API tokens stashed in the various backdoors, for Slack, Discord, and Microsoft Graph, we obtained insights into the group’s internal operations and post-compromise activities.

From the analysis of all C&C traffic, we recovered over 5,000 messages, revealing that the group’s earliest activity began in 2023-11. These messages were pivotal to our research as it helped in identifying times of when threat actors were most active, commands issued on targets, and tools deployed. Notably, it was through these messages that we were able to extract previously unknown tools such as CompactGopher and other information stealers. The dataset further exposed testing artifacts, including enumerations from the testing machines and snippets of backdoor code uploaded by testers..
Our research and analysis of GopherWhisper resulted in identifying a variety of custom tools that include Go-based backdoors LaxGopher, RatGopher, and BoxofFriends, an injector named JabGopher, a loader called FriendDelivery, an exfiltration tool, CompactGopher, and a C++ backdoor, SSLORDoor. From what we see in messages and telemetry, these tools were often deployed resulting in data exfiltration through either the C&C server or the simple file sharing service, file.io.

In this session, we will dissect the most interesting tools in GopherWhisper’s arsenal and will share how analyzing C&C traffic and code snippets from the attackers’ cloud accounts helped us gain critical insights into their activities. Finally, we will provide tips for fellow defenders to uncover and remediate a GopherWhisper compromise.