CompactGopher
CompactGopher is a custom Go-based file collection and data exfiltration tool used by the China-aligned GopherWhisper threat group. It has been described as a payload dropped by LaxGopher and as a dedicated utility used to remove stolen information from compromised networks, including in intrusions targeting Mongolian governmental institutions observed by ESET in 2025. Its core behavior is to take files specified via command-line arguments, collect files of interest, compress them into ZIP archives, encrypt the archives with AES-CFB-128, and automatically upload them to the file-sharing service file.io for exfiltration. Reported file-selection behavior includes filtering by extension and timestamp; specifically mentioned targeted extensions are .doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, and .pptx. After successful upload, it deletes the local archive. One reported hardcoded AES-CFB-128 key is korehappyhappyhappy+821054197565. A referenced sample is temp001.exe, detected as WinGo/Filecoder.JI and described as the CompactGopher exfiltration tool.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CompactGopher is a custom Go-based file collection and exfiltration tool deployed by operators to conveniently compress files specified in command line arguments and automatically exfiltrate them to the file.io file sharing service, which allows the uploading of files without requiring any registration.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
2 techniquesCompactGopher runs its own cleanup process by deleting both the cleartext and encrypted archives... BoxOfFriends selfdelete... the file used in the injection process will be deleted.
JabGopher, LaxGopher, CompactGopher, RatGopher, and SSLORDoor all have encryption/decryption capabilities.
Discovery
1 techniqueCompactGopher , a Go-based file collection utility dropped by LaxGopher to filter files of interest by extensions (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, and .pptx.)
Collection
5 techniquesLaxGopher, RatGopher, SSLORDoor, and CompactGopher can collect local data from a compromised machine.
CompactGopher packages selected files and ships them out through the file.io sharing service.
CompactGopher automates the collection of data based on command line arguments.
GopherWhisper also used a custom exfiltration tool to compress stolen data and upload it to the File.io file-sharing service.
CompactGopher can be used as a utility to collect and archive data.
Command and Control
4 techniquesLaxGopher, RatGopher, and BoxOfFriends use HTTPS for C&C communication.
GopherWhisper leverages Discord, Slack, Microsoft 365 Outlook, and file.io for C&C communications and exfiltration.
LaxGopher, RatGopher, and SSLORDoor can all download additional files/payloads.
LaxGopher and RatGopher use AES algorithms for encryption. BoxOfFriends uses XOR encryption.
Exfiltration
4 techniquesCompactGopher is a file uploader that automatically exfiltrates data.
RatGopher and CompactGopher use HTTPS to exfiltrate data collected from victims to file.io.
To remove stolen information from compromised networks, the attackers used a dedicated data exfiltration tool called CompactGopher, which compressed files and uploaded them to the file-sharing service File.io.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A payload used to compress and exfiltrate files from compromised systems.
A custom tool used to compress and exfiltrate stolen data to file-sharing services such as File.io.
A malware component used for file exfiltration via the public file-sharing service file.io; the article notes it is not technically a C2 tool.
A Go-based file collection and exfiltration utility that filters documents and images by extension, compresses them into ZIP archives, encrypts them with AES-CFB-128, and uploads them to file.io.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.