RatGopher
RatGopher is a Go-based backdoor used in the GopherWhisper intrusion set. It uses the Discord API via the discordgo library to communicate with a private Discord server for command and control, receiving commands from a configured channel and posting execution results back to that channel. Reported capabilities include executing commands through cmd.exe, uploading files to and downloading files from file.io, and a kill command. Multiple sources state that it uses AES-128 in CFB and CBC modes, with support for operator-driven CBC key and IV rotation through specially formatted Discord messages. One reported initialization message is "Hello, everyone!\nI'm coming!". RatGopher has been associated with the China-aligned threat actor GopherWhisper, which ESET observed targeting governmental institutions in Mongolia, including roughly 12 compromised systems in one Mongolian government entity, with indications of additional victims. The malware is part of a broader GopherWhisper toolset that also includes LaxGopher, BoxOfFriends, CompactGopher, JabGopher, FriendDelivery, and SSLORDoor. Reported sample metadata includes intelservice.exe, detected as WinGo/Agent.VM, described as a RatGopher backdoor using Discord for C2. The content also states that GopherWhisper used a stolen Google LLC code-signing certificate to sign RatGopher.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We also unearthed two other backdoors: RatGopher and SSLORDoor. RatGopher leverages Discord for communication with the operators.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniquesGopherWhisper uses Slack, Discord, and Microsoft Graph services for its C&C infrastructure.
RatGopher and early versions of its source code were identified from chat log analysis. BoxOfFriends is a custom backdoor.
GopherWhisper has used stolen Google LLC code-signing certificates to sign RatGopher.
Execution
2 techniquesLaxGopher communicates via Slack, runs commands, and downloads payloads
LaxGopher has the following capabilities: interactively execute commands via cmd.exe... RatGopher has the following capabilities: execute a new instance of cmd.exe... SSLORDoor has the following capabilities: spawn a hidden cmd.exe.
Stealth
1 techniqueJabGopher, LaxGopher, CompactGopher, RatGopher, and SSLORDoor all have encryption/decryption capabilities.
Discovery
4 techniquesLaxGopher, RatGopher, and SSLORDoor can enumerate all services running on a compromised host.
LaxGopher, RatGopher, and SSLORDoor can collect the hostname, OS version, and OS architecture of a compromised host.
LaxGopher, RatGopher, and SSLORDoor can obtain file and directory listings.
LaxGopher, RatGopher, and SSLORDoor can identify running software on victim machines.
Collection
1 techniqueLaxGopher, RatGopher, SSLORDoor, and CompactGopher can collect local data from a compromised machine.
Command and Control
7 techniquesAttackers continue to lean on everyday collaboration platforms to hide command and control traffic inside normal enterprise noise... running its operations through Slack workspaces, Discord servers, Outlook drafts, and the file.io sharing service.
RatGopher backdoor that uses Discord for C&C.
The blog post on GopherWhisper’s toolset including backdoors abusing publicly available services like Slack, Discord, and Microsoft Graph
LaxGopher, RatGopher, and BoxOfFriends use Slack, Discord, and Microsoft Graph, respectively, for C&C infrastructure.
LaxGopher, RatGopher, and SSLORDoor can all download additional files/payloads.
LaxGopher and RatGopher use base64 to encode messages sent to their C&Cs.
LaxGopher and RatGopher use AES algorithms for encryption. BoxOfFriends uses XOR encryption.
Exfiltration
3 techniquesLaxGopher, RatGopher, SSLORDoor, and BoxOfFriends exfiltrate data to their C&Cs.
RatGopher and CompactGopher use HTTPS to exfiltrate data collected from victims to file.io.
LaxGopher leverages Slack to exfiltrate data. RatGopher leverages Discord and file.io to exfiltrate data. CompactGopher uses the file.io web service to exfiltrate data.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor that uses Discord for command execution.
A Go-based backdoor used by the GopherWhisper threat actor for malicious operations and command-and-control via legitimate services.
A backdoor used by GopherWhisper that abuses Discord for command-and-control.
A Go-based backdoor/RAT that uses Discord for C2, executes commands, returns output, and supports file upload and download via file.io.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.