# [CRIT] GopherWhisper: A burrow full of malware **Source:** ESET WeLiveSecurity **Published:** 2026-04-23 **Article:** https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/ ## Threat Profile GopherWhisper: A burrow full of malware ESET Research GopherWhisper: A burrow full of malware ESET Research has discovered a new China-aligned APT group that we’ve named GopherWhisper, which targets Mongolian governmental institutions Eric Howard 23 Apr 2026  •  , 6 min. read ESET researchers have discovered a previously undocumented China-aligned APT group that we named GopherWhisper. The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and ex… ## Indicators of Compromise (high-fidelity only) - **IPv4 (defanged):** `43.231.113.50` - **SHA1:** `c72e7540d6f12d74d8e737b02f31568385f575d7` - **SHA1:** `039eb329a173fce7efeca18611a8f2c0f7d24609` - **SHA1:** `716554dc580a82cc17a1035add302c0766590964` - **SHA1:** `57c2490e4db194d3503ee85635fb1d6f26e8c534` - **SHA1:** `ad7e264eb08415871617e45f21d03f7d71e4c36f` - **SHA1:** `fa9e65e58eb8fa41fde0a0a870b7d24b298026d9` - **SHA1:** `5a1bbb40c442b12594a913431f8c6757a3a66e8f` - **SHA1:** `926974facfd0383c65458d6ef1f31fbb7c769e18` ## MITRE ATT&CK Techniques - **T1071.001** — Web Protocols - **T1071.004** — DNS - **T1071** — Application Layer Protocol - **T1027** — Obfuscated Files or Information - **T1204.002** — User Execution: Malicious File - **T1071.001** — Application Layer Protocol: Web Protocols - **T1102.002** — Web Service: Bidirectional Communication - **T1567.002** — Exfiltration to Cloud Storage - **T1560** — Archive Collected Data - **T1095** — Non-Application Layer Protocol - **T1567** — Exfiltration Over Web Service - **T1055.012** — Process Hollowing / Process Injection: Process Hollowing - **T1574.002** — Hijack Execution Flow: DLL Side-Loading - **T1036.005** — Masquerading: Match Legitimate Name or Location ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Non-browser process posting to Slack Web API (LaxGopher C2) `UC_362_4` · phase: **c2** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Web.url) as urls, values(Web.dest) as dests, dc(Web.url) as urlCount from datamodel=Web where (Web.url="*slack.com/api/*" OR Web.url="*hooks.slack.com*" OR Web.dest="*.slack.com") AND NOT (Web.app IN ("chrome","firefox","msedge","brave","iexplore","slack","teams","outlook","opera","vivaldi") OR Web.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","iexplore.exe","slack.exe","teams.exe","outlook.exe","opera.exe","vivaldi.exe")) by Web.src, Web.user, Web.process_name, Web.app | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | sort - lastTime ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where (RemoteUrl has_any ("slack.com/api/", "hooks.slack.com", "files.slack.com")) or RemoteUrl endswith ".slack.com" | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","iexplore.exe","slack.exe","teams.exe","outlook.exe","ms-teams.exe","opera.exe","vivaldi.exe") | where InitiatingProcessAccountName !endswith "$" | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort | summarize Hits = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp), SampleUrl = any(RemoteUrl), SampleCmd = any(InitiatingProcessCommandLine) by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessAccountName | order by LastSeen desc ``` ### Non-browser process posting to Discord API (RatGopher C2) `UC_362_5` · phase: **c2** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Web.url) as urls, values(Web.dest) as dests from datamodel=Web where (Web.url="*discord.com/api/*" OR Web.url="*discordapp.com/api/*" OR Web.dest="discord.com" OR Web.dest="discordapp.com" OR Web.dest="*.discord.com") AND NOT (Web.app IN ("chrome","firefox","msedge","brave","iexplore","discord","opera","vivaldi") OR Web.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","iexplore.exe","discord.exe","opera.exe","vivaldi.exe")) by Web.src, Web.user, Web.process_name, Web.app | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | sort - lastTime ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has_any ("discord.com/api/", "discordapp.com/api/", "discord.com", "discordapp.com") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","iexplore.exe","discord.exe","opera.exe","vivaldi.exe","electron.exe") | where InitiatingProcessAccountName !endswith "$" | summarize Hits = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp), SampleUrl = any(RemoteUrl), SampleCmd = any(InitiatingProcessCommandLine) by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessAccountName | order by LastSeen desc ``` ### Outbound upload to file.io from non-browser process (CompactGopher exfil) `UC_362_6` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, sum(All_Traffic.bytes_out) as bytes_out, values(All_Traffic.dest) as dests from datamodel=Network_Traffic where (All_Traffic.dest="file.io" OR All_Traffic.dest="*.file.io") by All_Traffic.src, All_Traffic.user, All_Traffic.app, All_Traffic.process_name | `drop_dm_object_name(All_Traffic)` | where bytes_out > 100000 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | sort - bytes_out ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl has "file.io" or RemoteUrl endswith ".file.io" | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","iexplore.exe","opera.exe","vivaldi.exe") | where InitiatingProcessAccountName !endswith "$" | summarize Hits = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp), SampleCmd = any(InitiatingProcessCommandLine), DstIPs = make_set(RemoteIP, 5) by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessAccountName | order by LastSeen desc ``` ### Beaconing to GopherWhisper C2 IP 43.231.113.50 (incl. SSLORDoor raw TLS/443) `UC_362_7` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(All_Traffic.dest_port) as dest_port, sum(All_Traffic.bytes_in) as bytes_in, sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where (All_Traffic.dest="43.231.113.50" OR All_Traffic.src="43.231.113.50") by All_Traffic.src, All_Traffic.dest, All_Traffic.user, All_Traffic.process_name | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | sort - lastTime ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(90d) | where RemoteIP == "43.231.113.50" or LocalIP == "43.231.113.50" | summarize Hits = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp), DestPorts = make_set(RemotePort, 10), SampleCmd = any(InitiatingProcessCommandLine), Procs = make_set(InitiatingProcessFileName, 10) by DeviceName, InitiatingProcessAccountName | order by LastSeen desc ``` ### Suspicious draft email manipulation against barrantaya.1010@outlook.com (BoxOfFriends Graph API C2) `UC_362_8` · phase: **c2** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl `cim_email_indexes` (sender="barrantaya.1010@outlook.com" OR recipient="barrantaya.1010@outlook.com" OR src_user="barrantaya.1010@outlook.com") | stats count, min(_time) as firstTime, max(_time) as lastTime, values(sender) as senders, values(recipient) as recipients, values(subject) as subjects by src_user, dest_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql union isfuzzy=true (EmailEvents | where Timestamp > ago(180d) | where SenderFromAddress =~ "barrantaya.1010@outlook.com" or RecipientEmailAddress =~ "barrantaya.1010@outlook.com" or SenderMailFromAddress =~ "barrantaya.1010@outlook.com" | project Timestamp, Source = "EmailEvents", SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction), (DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl has_any ("graph.microsoft.com", "outlook.office.com", "outlook.office365.com") | where InitiatingProcessFileName !in~ ("outlook.exe","chrome.exe","msedge.exe","firefox.exe","brave.exe","iexplore.exe","teams.exe","ms-teams.exe","onedrive.exe","officehub.exe","excel.exe","powerpoint.exe","winword.exe","onenote.exe","todo.exe") | where InitiatingProcessAccountName !endswith "$" | project Timestamp, Source = "DeviceNetworkEvents", DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl) | order by Timestamp desc ``` ### whisper.dll loaded / svchost.exe spawned outside services.exe (GopherWhisper JabGopher injection) `UC_362_9` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Processes.process) as cmdlines, values(Processes.parent_process) as parents from datamodel=Endpoint.Processes where Processes.process_name="svchost.exe" AND NOT Processes.parent_process_name IN ("services.exe","MsMpEng.exe","wininit.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | sort - lastTime ``` **Defender KQL:** ```kql union isfuzzy=true (DeviceProcessEvents | where Timestamp > ago(30d) | where FileName =~ "svchost.exe" | where InitiatingProcessFileName !in~ ("services.exe","msmpeng.exe","wininit.exe") | where AccountName !endswith "$" | project Timestamp, Source = "AnomalousSvchost", DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA1, SHA256), (DeviceImageLoadEvents | where Timestamp > ago(30d) | where FileName =~ "whisper.dll" | project Timestamp, Source = "WhisperDllLoad", DeviceName, ChildImage = InitiatingProcessFileName, ChildPath = InitiatingProcessFolderPath, ChildCmd = InitiatingProcessCommandLine, LoadedPath = FolderPath, SHA1, SHA256), (DeviceFileEvents | where Timestamp > ago(30d) | where FileName =~ "whisper.dll" and ActionType in ("FileCreated","FileRenamed","FileModified") | project Timestamp, Source = "WhisperDllWrite", DeviceName, ChildImage = InitiatingProcessFileName, ChildPath = InitiatingProcessFolderPath, ChildCmd = InitiatingProcessCommandLine, LoadedPath = FolderPath, SHA1, SHA256) | order by Timestamp desc ``` ### Beaconing — periodic outbound to small set of destinations `UC_BEACONING` · phase: **c2** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal" by _time span=10s, All_Traffic.src, All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | streamstats current=f last(_time) AS prev_time by src, dest | eval delta = _time - prev_time | stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest | where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600 | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" and ActionType == "ConnectionSuccess" | project DeviceName, RemoteIP, RemotePort, Timestamp | sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc | extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1), prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1) | where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port | extend delta_sec = datetime_diff('second', Timestamp, prev_ts) | summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec) by DeviceName, RemoteIP, RemotePort | where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0 | order by conn_count desc ``` ### Article-specific behavioural hunt — GopherWhisper: A burrow full of malware `UC_362_3` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — GopherWhisper: A burrow full of malware ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("whisper.dll")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("whisper.dll")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — GopherWhisper: A burrow full of malware // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("whisper.dll")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("whisper.dll")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `43.231.113.50` - **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High** - file hash IOC(s): `c72e7540d6f12d74d8e737b02f31568385f575d7`, `039eb329a173fce7efeca18611a8f2c0f7d24609`, `716554dc580a82cc17a1035add302c0766590964`, `57c2490e4db194d3503ee85635fb1d6f26e8c534`, `ad7e264eb08415871617e45f21d03f7d71e4c36f`, `fa9e65e58eb8fa41fde0a0a870b7d24b298026d9`, `5a1bbb40c442b12594a913431f8c6757a3a66e8f`, `926974facfd0383c65458d6ef1f31fbb7c769e18` ## Why this matters Severity classified as **CRIT** based on: IOCs present, 10 use case(s) fired, 14 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.