top of page
perceptive_background_267k.jpg

New GopherWhisper APT group abuses Outlook, Slack, Discord for comms

Published:

23 April 2026 at 12:06:18

Alert date:

23 April 2026 at 13:01:25

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Email & Messaging

A newly discovered state-backed threat actor named GopherWhisper has been identified conducting attacks against government entities. The group uses a custom Go-based toolkit and leverages legitimate communication services including Microsoft 365 Outlook, Slack, and Discord for command and control communications. This represents a sophisticated APT campaign that abuses trusted platforms to evade detection while targeting government infrastructure.

Technical details

GopherWhisper is a China-linked state-backed APT group active since 2023 that uses a Go-based custom toolkit. The group deploys multiple backdoors including LaxGopher (Slack C2), RatGopher (Discord C2), BoxOfFriends (Microsoft Graph API/Outlook C2), SSLORDoor (C++ backdoor using OpenSSL), JabGopher (injector), FriendDelivery (DLL loader), and CompactGopher (file collection tool). The malware uses legitimate services like Microsoft 365 Outlook, Slack, and Discord for command-and-control communication. Commands are executed via Command Prompt and stolen data is compressed and uploaded to File.io file-sharing service. Researchers analyzed 6,044 Slack messages dating back to August 2024 and 3,005 Discord messages from November 2023. Activity patterns suggest UTC+8 timezone operations during standard working hours.

Mitigation steps:

Use the indicators of compromise (IoCs) provided by ESET to help identify and block attacks from the GopherWhisper threat cluster. Monitor for suspicious activity involving Slack, Discord, and Microsoft Graph API communications that could indicate C2 traffic.

Affected products:

Microsoft 365 Outlook
Microsoft Graph API
Slack
Discord
File.io file-sharing service

Related links:

https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/
http://web-assets.esetstatic.com/wls/en/papers/white-papers/gopherwhisper-burrow-full-malware.pdf
http://github.com/eset/malware-ioc/tree/master/gopherwhisper

Related CVE's:

Related threat actors:

IOC's:

Indicators of compromise available from ESET GitHub repository at github.com/eset/malware-ioc/tree/master/gopherwhisper

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page