New GopherWhisper APT group abuses Outlook, Slack, Discord for comms
Chinese state-backed GopherWhisper APT deploys Go malware using Outlook, Slack, Discord for C2.
Summary
A previously undocumented Chinese state-sponsored threat actor named GopherWhisper has been conducting attacks against government entities since at least 2023, using a custom Go-based malware toolkit that abuses legitimate services like Microsoft 365 Outlook, Slack, and Discord for command-and-control communications. ESET researchers identified six custom tools (LaxGopher, RatGopher, BoxOfFriends, SSLORDoor, JabGopher, CompactDelivery, CompactGopher) deployed against a Mongolian government institution and dozens of other victims worldwide. By gaining access to the attacker's hardcoded credentials, researchers recovered thousands of C2 messages and attributed the group to China based on timezone analysis and locale metadata.
Full text
New GopherWhisper APT group abuses Outlook, Slack, Discord for comms By Bill Toulas April 23, 2026 08:06 AM 0 A previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities. Active since at least 2023, the hackers have been linked to China and are estimated to have compromised dozens of victims. In a campaign identified by cybersecurity company ESET, the threat actor targeted a government entity in Mongolia and deployed a malware set with multiple backdoors that used Slack, Discord, and the Microsoft Graph API for command-and-control (C2) communication. GopherWhisper also used a custom exfiltration tool to compress stolen data and upload it to the File.io file-sharing service. In January 2025, ESET detected the first GopherWhisper backdoor that was written in Go and named it LaxGopher. The malware can retrieve commands from a private Slack server, execute them using the Command Prompt, and download new payloads. Further investigation revealed that the threat actor had deployed additional malicious tools, most of them Go-based: RatGopher – Go-based backdoor that uses a private Discord server for C2, executing commands and posting results back to a configured channel. BoxOfFriends – Go-based backdoor that leverages the Microsoft 365 Outlook (Microsoft Graph API) to create and modify draft emails for C2 communication. SSLORDoor – C++ backdoor using OpenSSL BIO over raw sockets (port 443), capable of executing commands and performing file operations (read, write, delete, upload) and drive enumeration. JabGopher – Injector that launches svchost.exe and injects the LaxGopher backdoor (disguised as whisper.dll) into its memory. FriendDelivery – Malicious DLL acting as a loader and injector that executes the BoxOfFriends backdoor. CompactGopher – Go-based file collection tool that compresses data from the command line and exfiltrates it to the file-sharing service file.io. The GopherWhisper toolsetSource: ESET Using credentials hardcoded in the Go-based backdoors, the researchers were able to access the attacker's accounts on Slack, Discord, and Microsoft Outlook, and recover C2 communication consisting of commands, uploaded files, and experimental activity. “We retrieved and analyzed a total of 6,044 Slack messages going back to August 21, 2024, and 3,005 Discord messages with the earliest dating from November 16, 2023,” ESET says in a technical report today. This access, along with metadata obtained from the C2 server, also helped researchers link the hackers to China. “Timestamp inspection of these Slack messages showed that the commands were issued between 12 a.m. and 12 p.m. UTC, while Discord message history revealed commands being sent between 12 a.m. and 2 p.m. UTC.” Furthermore, the researchers said that changing the timezone to UTC+8, which fits the "locale zh-CN found in the metadata of the Slack server," ESET noticed little activity outside the 8 a.m. and 5 p.m. working hour interval, increasing attribution confidence. ESET telemetry data indicates that GopherWhister compromised 12 systems in a Mongolian government institution, but analysis of the Discord and Slack C2 traffic revealed that there are "dozens of other victims," although researchers lack visibility into their geography and activity sectors. A set of GopherWhister indicators of compromise (IoCs) is available from ESET to help defenders identify and block attacks from the new threat cluster. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: New GoGra malware for Linux uses Microsoft Graph API for commsChinese state hackers target telcos with new malware toolkitThreat actor uses Microsoft Teams to deploy new “Snow” malwareUK warns of Chinese hackers using proxy networks to evade detectionUS sanctions Chinese company linked to Flax Typhoon hackers
Indicators of Compromise
- malware — LaxGopher
- malware — RatGopher
- malware — BoxOfFriends
- malware — SSLORDoor
- malware — JabGopher
- malware — FriendDelivery
- malware — CompactGopher