What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

The C2 Is Your Chat App: GopherWhisper, China's Newest APT, Hid Inside Slack, Discord, and Outlook

← Threat-Actor-Profile Deep-Dive

0 sources verified·10 min read

By Lyrie Threat Intelligence·5/1/2026

TL;DR

A previously undocumented Chinese state-linked APT — named GopherWhisper by ESET Research — has been running an espionage campaign against Mongolian government entities since at least late 2023. Its defining characteristic: command-and-control exclusively through legitimate SaaS platforms (Slack, Discord, Microsoft 365 Outlook) and exfiltration through file.io. The full toolkit is modular, written almost entirely in Go, and designed so that malicious traffic is indistinguishable from normal enterprise comms. ESET recovered over 9,000 C2 messages from the attacker's own accounts — because the operators hardcoded their credentials inside the binaries.

Background: Why Mongolia, Why Now

Mongolia sits at the geographic and economic intersection of Russia and China. It holds some of the world's largest untapped coal, copper, and rare-earth reserves. China is both its largest trade partner and its biggest threat actor customer — a dynamic that makes Mongolian government institutions a priority espionage target for Beijing-aligned groups.

The country's institutional cyber defenses, while improving, haven't historically matched the sophistication of the threat actors interested in its sovereign data. GopherWhisper apparently knew this. ESET's telemetry shows the group was methodical, patient, and operating for at least two years before detection.

The discovery itself — reported in ESET's April 2026 white paper — is notable not just for the new attribution but for what ESET managed to extract: because GopherWhisper hardcoded API tokens and login credentials directly into compiled Go binaries, researchers were able to log into the attacker's own Slack, Discord, and Outlook accounts and download the full C2 message archive. It's the kind of OPSEC failure that turns a sophisticated campaign into an open book.

Threat Actor Profile

| Attribute | Detail |

|---|---|

| Name | GopherWhisper (ESET designation) |

| Alignment | China state-nexus |

| First observed activity | November 16, 2023 (earliest Discord C2 messages) |

| Malware dev started | July 2024 (FriendDelivery DLL compilation timestamp) |

| Primary target | Mongolian government entities |

| Confirmed victims | 12+ systems in one government entity; dozens estimated |

| C2 platforms | Slack, Discord, Microsoft 365 Outlook (Graph API) |

| Exfiltration | file.io (public file-sharing service) |

| Malware language | Primarily Go; one C++ component (SSLORDoor) |

| OPSEC grade | Medium — strong operational discipline, weak credential hygiene |

| MITRE ATT&CK | T1071.001, T1055, T1078, T1027, T1105, T1567.002 |

Attribution confidence is high. ESET's analysis of recovered C2 message timestamps shows commands issued primarily between 12:00 AM and 12:00 PM UTC — perfectly mapping to China Standard Time (UTC+8) business hours of 08:00–20:00. Discord metadata revealed operator virtual machines configured to CST timezone. A welcome email from Microsoft confirmed the BoxOfFriends Outlook account (barrantaya.1010@outlook[.]com) was created July 11, 2024 — exactly 11 days before the FriendDelivery DLL was compiled. These are not coincidences.

Technical Analysis

Architecture Overview

GopherWhisper isn't a monolithic RAT. It's a modular platform — seven distinct tools, each serving a specific function, with redundancy built into the C2 layer. If Slack goes down or gets blocked, Discord takes over. If Discord gets flagged, draft-email C2 via Outlook is ready. This kind of C2 resilience is characteristic of a mature, funded team.

Component Deep Dives

#### 1. LaxGopher — The Primary Backdoor

Language: Go
C2: Private Slack workspace (API token hardcoded in binary)
Capabilities: Executes arbitrary commands via cmd.exe; downloads and executes additional payloads; posts command output back to Slack channel
Deployment: Injected into memory as whisper.dll
Significance: The first component ESET identified (January 2025). Its Slack integration is functionally identical to a legitimate Slack bot — no unusual network signatures.

#### 2. JabGopher — The Injector

Language: Go
Function: Spawns a legitimate svchost.exe process, then injects LaxGopher (whisper.dll) into its memory space
Why svchost? svchost.exe is Windows' generic service host process — injecting into it hides malicious threads among dozens of legitimate service threads. Endpoint tools that don't do deep memory inspection miss this cleanly.
Technique: T1055 (Process Injection) — classic but reliably effective

#### 3. RatGopher — The Discord Backdoor

Language: Go
C2: Private Discord server (bot token hardcoded)
Capabilities: Command execution; posts results to Discord channels; bidirectional communication
Significance: Redundant C2 to LaxGopher. Operators can switch between Slack and Discord channels transparently. Both protocols are TLS-encrypted and trusted by most enterprise firewalls.

#### 4. BoxOfFriends — The Draft Email Backdoor

Language: Go
C2: Microsoft 365 Outlook via Microsoft Graph API
Technique: Reads commands from Outlook draft emails (never sent); posts results back as new drafts
Why drafts? Email that never leaves the mailbox generates no SMTP logs, no email gateway alerts, and no DLP triggers. The only traffic is authenticated HTTPS to graph.microsoft.com — a domain that every enterprise with Microsoft 365 allows unconditionally.
Loader: FriendDelivery (DLL that bootstraps BoxOfFriends)
OPSEC failure: The Graph API token and Outlook credentials were hardcoded, allowing ESET to access the full draft history

#### 5. CompactGopher — The Exfiltration Tool

Language: Go
Function: Compresses targeted files from the command line; uploads the archive to file.io
Why file.io? Public, TLS-encrypted, ephemeral file sharing. Uploads are one-time accessible by default. Firewalls rarely block it. The file disappears after first download, leaving no persistent hosting infrastructure to seize.

#### 6. SSLORDoor — The Fallback C++ Backdoor

Language: C++
C2: Raw TCP sockets over port 443 using OpenSSL BIO
Capabilities: Execute commands; file read/write/delete/upload; drive enumeration
Significance: The only non-Go component, likely from an earlier or parallel development track. Port 443 with OpenSSL BIO means all traffic looks like HTTPS to passive network monitoring — even though it isn't standard HTTPS.

Living-Off-Trusted-Services: The Strategic Design Choice

The overarching theme is LOTS — Living Off Trusted Services. Every C2 channel GopherWhisper uses is a service that:

1. Generates HTTPS traffic to well-known, high-reputation domains

2. Is used legitimately by millions of enterprise employees

3. Is allowed by default through corporate firewalls and web proxies

4. Has limited API-level logging visible to most organizations

5. Cannot be blocked without operational impact to the business

This is not novel as a concept — APT groups have abused Google Drive, Dropbox, GitHub, and Telegram for years. But the multi-platform redundancy (Slack + Discord + Outlook Graph) combined with custom Go tooling is unusual and indicates a team that thought through detection failure modes. If a blue team identifies Slack-based C2 and blocks Slack API tokens, the Discord backdoor keeps the operator in the network. If both get burned, BoxOfFriends' draft-email channel is still live.

The OPSEC Paradox

Despite sophisticated operational design, GopherWhisper committed a fundamental error: credential hardcoding at scale. Every backdoor that uses a SaaS service authenticated with credentials baked directly into the compiled binary. For a reverse engineer with access to the sample, extracting those credentials is a matter of minutes with a Go decompiler or strings extraction.

ESET leveraged this to recover:

6,044 Slack messages dating to August 21, 2024
3,005 Discord messages dating to November 16, 2023
Full Outlook draft history for BoxOfFriends C2

This gave ESET a window into not just victim data but attacker operational tradecraft — what commands they ran, what files they exfiltrated, how they tested the malware, and crucially, the timezone metadata that anchored the China attribution.

The lesson: sophisticated malware with hardcoded auth is only as strong as the weakest credential. If you're using SaaS as C2, every token is an IOC and an entry point for the defender who finds it first.

IOCs / Indicators of Compromise

Source: ESET Research — github.com/eset/malware-ioc/tree/master/gopherwhisper

File Indicators

| Component | Filename | Type |

|---|---|---|

| LaxGopher backdoor | whisper.dll | Go DLL injected into svchost |

| FriendDelivery loader | (variable) | Malicious DLL |

| JabGopher injector | (variable) | Go EXE |

| CompactGopher | (variable) | Go EXE |

| SSLORDoor | (variable) | C++ EXE |

Full SHA-256 hashes available in ESET's GitHub IOC repository (link in Sources).

Network Indicators

| Type | Value | Usage |

|---|---|---|

| Email account | barrantaya.1010@outlook[.]com | BoxOfFriends C2 account |

| C2 protocol | Slack API (private workspace) | LaxGopher C2 |

| C2 protocol | Discord bot API (private server) | RatGopher C2 |

| Exfil service | file[.]io | CompactGopher upload target |

| Raw socket port | TCP/443 via OpenSSL BIO | SSLORDoor C2 |

| Graph API endpoint | graph.microsoft.com | BoxOfFriends (normal domain, flag unusual OAuth apps) |

Behavioral Indicators

svchost.exe spawned with unusual parent process (JabGopher injection)
Slack API api.slack.com connections from non-browser processes
Discord CDN/API connections from system processes
Microsoft Graph API OAuth tokens issued to unrecognized applications
file.io upload requests from non-browser, non-user-initiated processes
Outbound TCP/443 connections not matching known HTTPS certificate patterns

Lyrie Take

GopherWhisper is a preview of the dominant APT architecture for the next five years.

State-sponsored groups increasingly understand that the most reliable C2 isn't the most exotic — it's the most _normal_. Slack is in every enterprise. Outlook is in every government. Discord is on every developer's machine. Building malware that speaks these protocols natively isn't just clever; it's an intentional bet that most detection stacks are built around network anomaly, not protocol-layer semantic analysis.

The defensive consequence is stark: you cannot firewall your way out of LOTS-based C2. Blocking api.slack.com would shut down half your engineering team. Blocking graph.microsoft.com would break Microsoft 365. Blocking file.io is feasible — but CompactGopher will be updated to use Google Drive or OneDrive next.

This is exactly the threat model Lyrie was designed for. Machine-speed behavioral analysis doesn't ask "is this connection to a blocked domain?" It asks "is this process legitimately expected to be talking to Slack's API?" — and it has an answer in under 100 milliseconds. A government SOC analyst reviewing weekly firewall logs does not.

The additional Lyrie observation: GopherWhisper's OPSEC failure was a gift that reveals a systemic pattern. Nation-state operators under deadline pressure routinely hardcode credentials. That means every LOTS-based malware sample is a potential key to the attacker's own infrastructure. Automated credential extraction and C2 infiltration should be a standard step in incident response for this class of threat.

Defender Playbook

Priority 1 — Audit OAuth Application Grants

Review all registered OAuth applications in your Microsoft 365 tenant and Slack workspace. GopherWhisper's BoxOfFriends needed a Graph API OAuth token. Unknown or low-use application registrations are immediate investigation targets. Revoke any unrecognized tokens.

Priority 2 — Process-to-Network Correlation

Deploy an EDR or NDR capable of correlating network connections to the originating process. Slack API traffic from svchost.exe is definitively malicious. This correlation is trivial to write but requires an agent with process-level visibility.

Priority 3 — svchost Spawn Anomaly Detection

Monitor for svchost.exe instances spawned with unusual parent processes or command-line arguments. Legitimate svchost.exe processes are always launched by services.exe or wininit.exe. Any other parent is a detection trigger.

Priority 4 — file.io Egress Monitoring

Block or alert on outbound connections to file.io from non-browser processes. This is one of GopherWhisper's only easily blockable network indicators and has essentially no legitimate corporate use case outside of an individual user's browser session.

Priority 5 — Inspect Port 443 Connections

SSLORDoor uses OpenSSL BIO over raw TCP/443 — not standard HTTPS. SSL inspection proxies or deep packet inspection will surface the TLS handshake anomaly (non-browser cipher suites, unusual SNI or no SNI). Flag these for review.

Priority 6 — Hunt for Go-Based Binaries

Go binaries have distinct compilation artifacts: large binary size, embedded runtime strings, specific PE section layouts. EDR tools with binary analysis can flag unexpected Go executables running in system directories.

Priority 7 — Geographic Impossibility Monitoring

Audit Slack, Discord, and Outlook authentication logs for logins from unexpected geographies or at unusual hours. GopherWhisper operators consistently worked UTC+8 business hours — logins to enterprise SaaS accounts at 3 AM local time should trigger review.

Sources

1. ESET Research White Paper — "GopherWhisper: Burrow Full of Malware" (April 2026): https://web-assets.esetstatic.com/wls/en/papers/white-papers/gopherwhisper-burrow-full-malware.pdf

2. ESET IOC Repository (GitHub): https://github.com/eset/malware-ioc/tree/master/gopherwhisper

3. Security Affairs — "GopherWhisper: new China-linked APT targets Mongolia with Go-based malware" (April 30, 2026): https://securityaffairs.com/191318/apt/gopherwhisper-new-china-linked-apt-targets-mongolia-with-go-based-malware.html

4. Rescana Analysis — "China-Linked GopherWhisper APT Targets Mongolian Government" (April 29, 2026): https://www.rescana.com/post/china-linked-gopherwhisper-apt-targets-mongolian-government-abuse-of-slack-discord-and-microsoft-365-in-advanced-espiona/

5. PRSOL — "New GopherWhisper APT group abuses Outlook, Slack, Discord for comms" (April 30, 2026): https://www.prsol.cc/2026/04/30/new-gopherwhisper-apt-group-abuses-outlook-slack-discord-for-comms/

6. Dark Reading — "Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia" (April 2026): https://www.darkreading.com/cyberattacks-data-breaches/chinese-apt-abuses-cloud-tools-spy-mongolia

7. Channel Post MEA — "ESET Research Discovers New China-aligned group, GopherWhisper" (April 29, 2026): https://channelpostmea.com/2026/04/29/eset-research-discovers-new-china-aligned-group-gopherwhisper/

8. MITRE ATT&CK: T1071.001, T1055, T1078, T1027, T1105, T1567.002

Lyrie.ai Cyber Research Division — Senior Analyst Desk