SSLORDoor
SSLORDoor is a C++ backdoor associated with the China-aligned GopherWhisper threat group. ESET reported it as part of GopherWhisper’s malware arsenal used in intrusions targeting Mongolian governmental institutions, with the broader campaign assessed to have affected about 12 systems in one Mongolian government entity and potentially dozens of additional victims. Unlike most of the group’s Go-based tooling, SSLORDoor is written in C++.
The malware communicates directly with operators over raw TCP sockets on port 443 using OpenSSL BIO and TLS rather than standard HTTPS. Reported functionality includes host and drive enumeration, spawning a hidden cmd.exe for command execution, file operations including read, write, delete, and upload, and creation of proxy socket connections. ESET also reported that SSLORDoor encrypts C2 traffic by XORing bytes with 0x3F and then applying an obfuscated RC4 routine using the key lsk2ksi9f before sending data through TLS.
Observed sample information includes delltool.exe, detected as Win64/Agent.AGD and described as an SSLORDoor backdoor. A reported SSLORDoor command-and-control server is 43.231.113[.]50, hosted by Intelligent Tools and first seen on 2025-03-24.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We also unearthed two other backdoors: RatGopher and SSLORDoor. RatGopher leverages Discord for communication with the operators. SSLORDoor, unlike the rest of the tools that we had discovered at that point, was not written in Go but in C++.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesLaxGopher has the following capabilities: interactively execute commands via cmd.exe... RatGopher has the following capabilities: execute a new instance of cmd.exe... SSLORDoor has the following capabilities: spawn a hidden cmd.exe.
Stealth
2 techniquesCompactGopher runs its own cleanup process by deleting both the cleartext and encrypted archives... BoxOfFriends selfdelete... the file used in the injection process will be deleted.
JabGopher, LaxGopher, CompactGopher, RatGopher, and SSLORDoor all have encryption/decryption capabilities.
Discovery
5 techniquesLaxGopher, RatGopher, and SSLORDoor can enumerate all services running on a compromised host.
LaxGopher, RatGopher, and SSLORDoor can collect the hostname, OS version, and OS architecture of a compromised host.
LaxGopher, RatGopher, and SSLORDoor can obtain file and directory listings.
SSLORDoor – C++ backdoor using OpenSSL BIO over raw sockets (port 443), capable of executing commands and performing file operations (read, write, delete, upload) and drive enumeration.
LaxGopher, RatGopher, and SSLORDoor can identify running software on victim machines.
Collection
1 techniqueLaxGopher, RatGopher, SSLORDoor, and CompactGopher can collect local data from a compromised machine.
Command and Control
10 techniquesSSLORDoor can send a raw encrypted byte stream via the default HTTPS port.
SSLORDoor communicates directly with the operators over an encrypted channel on port 443. | Attackers continue to lean on everyday collaboration platforms to hide command and control traffic inside normal enterprise noise... running its operations through Slack workspaces, Discord servers, Outlook drafts, and the file.io sharing service.
SSLORDoor communicates directly with the operators over an encrypted channel on port 443.
Command 21: Creates a connection to a new socket as a proxy, where bytes are read through recv and processed onto the stack as C&C messages.
SSLORDoor: a backdoor built in C++ that uses OpenSSL BIO for communication via raw sockets on port 443.
LaxGopher, RatGopher, and SSLORDoor can all download additional files/payloads.
SSLORDoor leverages custom data encoding to communicate with the C&C. BoxOfFriends uses base58 and base64 encoding.
Also used by the threat actor is ... a C++ backdoor that offers remote control over compromised hosts.
LaxGopher and RatGopher use AES algorithms for encryption. BoxOfFriends uses XOR encryption.
SSLORDoor uses TLS encryption for C&C communication.
Exfiltration
1 techniqueLaxGopher, RatGopher, SSLORDoor, and BoxOfFriends exfiltrate data to their C&Cs.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor or remote access component that performs file operations over encrypted sockets.
A C++ backdoor used by the GopherWhisper threat actor as part of its custom toolkit.
A backdoor used by GopherWhisper; unlike some of the others, it does not abuse a SaaS platform for command-and-control.
A C++ backdoor that communicates over raw sockets on port 443 using OpenSSL BIO and enables drive enumeration, file operations, and remote command execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.