Threat IntelligenceEmerging Threats

China-Linked APT Group Exploits Legitimate Services for Covert Ops

Analyst 207||Source: BleepingComputer
Modern office setting with subtle digital communication hints.

“We retrieved and analyzed a total of 6,044 Slack messages going back to August 21, 2024, and 3,005 Discord messages with the earliest dating from November 16, 2023,” ESET says in a technical report today.

ESET’s recovered logs give an unusually clear window into operations

That raw evidence is the foundation of ESET’s account of a previously undocumented, state-backed cluster it calls GopherWhisper. Researchers say the group has been active since at least 2023 and that access to attacker-controlled accounts — obtained via credentials hardcoded in Go-based backdoors — allowed them to recover commands, uploaded files and experimental activity from the group’s Slack and Discord C2 channels. The timeline in those messages provided the key behavioral clues investigators used to link the cluster to China.

A toolkit built around Go, with a C++ outlier

GopherWhisper’s toolset, as reconstructed by ESET, is dominated by Go-based components but includes a purpose-built C++ backdoor. The main pieces named by the company are:

  • LaxGopher — a Go backdoor first detected by ESET in January 2025; it retrieves commands from a private Slack server, executes them through the Command Prompt and can download new payloads.
  • RatGopher — a Go backdoor that uses a private Discord server for command-and-control, executing commands and posting results back to a configured channel.
  • BoxOfFriends — a Go backdoor that leverages Microsoft 365 Outlook via the Microsoft Graph API to create and modify draft emails for C2 communication.
  • SSLORDoor — a C++ backdoor using OpenSSL BIO over raw sockets on port 443; it is capable of executing commands, performing file operations (read, write, delete, upload) and enumerating drives.
  • JabGopher — an injector that launches svchost.exe and injects the LaxGopher backdoor (disguised as whisper.dll) into memory.
  • FriendDelivery — a malicious DLL loader/injector that executes the BoxOfFriends backdoor.
  • CompactGopher — a Go-based collection tool that compresses data from the command line and exfiltrates it to the file-sharing service file.io.

Blending bespoke malware with mainstream collaboration tools

What distinguishes GopherWhisper is not only the custom code but how that code leans on legitimate platforms for C2 and exfiltration. ESET found Slack, Discord and Microsoft 365 Outlook (via the Graph API) used as covert channels, and CompactGopher’s uploads routed to the file.io service. Because those platforms are normal parts of many organizations’ workflows, the attacks mixed bespoke and commodity services in ways that complicate detection and attribution.

Targets, scale and the evidence behind attribution

ESET’s telemetry indicates GopherWhisper compromised 12 systems inside a Mongolian government institution. The recovered Slack and Discord traffic, however, points to “dozens of other victims,” though researchers said they lack visibility into those victims’ locations and sectors. Timezone and locale metadata strengthened ESET’s assessment linking the group to China: Slack commands were issued mostly between 12 a.m. and 12 p.m. UTC and Discord commands between 12 a.m. and 2 p.m. UTC, and when timestamps are converted to UTC+8 — matching a “locale zh-CN” found in Slack metadata — activity concentrates within an approximate 8 a.m. to 5 p.m. working window.

What this means for technologists, policymakers, and the Mongolian government

  • Technologists and security teams: expect adversaries to mix custom Go implants with legitimate cloud and collaboration APIs; ESET’s recovery of hardcoded credentials and C2 artefacts underlines the value of hunting for atypical uses of Slack/Discord channels and draft-email manipulation via the Microsoft Graph API.
  • Policymakers and regulators: the case ties a state-backed cluster to government-targeted intrusions and to abuse of cross-border commercial services, raising questions about inter-jurisdictional access to forensic data and defensive information sharing.
  • The Mongolian government and other affected institutions: ESET’s telemetry shows at least 12 systems breached in one Mongolian government institution and indicates there are further victims; the organization-specific compromise highlights the operational impact when bespoke implants and mainstream services are combined.

ESET has published a set of indicators of compromise to help defenders identify and block activity tied to this new cluster. The report presents a compact portrait: a Go-heavy toolkit, creative use of collaboration platforms, and a small, attributable footprint that nonetheless appears to touch “dozens” of victims beyond the Mongolian target.

The most striking detail may be procedural rather than technical: the attackers left a retrievable breadcrumb trail inside the very services they used for clandestine control. That slip allowed researchers to map hours of activity, recover payloads and construct a catalog of tooling that will shape detection and response for groups confronting similar techniques. For defenders and decision-makers, the next practical step is the one ESET already took — convert recovered artifacts and timelines into concrete IoCs and visibility rules for Slack, Discord, Microsoft Graph API usage and file.io uploads, and apply them where those services are permitted.

https://www.bleepingcomputer.com/news/security/new-gopherwhisper-apt-group-abuses-outlook-slack-discord-for-comms/

DiscordEmerging ThreatsNation-StateMalware OperationsSlackGopherwhisperChina-Linked APTAPT GroupCovert Ops
Related Intelligence

Continue Reading

Software development workstation with laptop, coding tools, and notes in a brightly-lit neutral environment.

Malicious npm Packages Deliver Windows RAT via PostCSS Tooling

Beware of malicious npm packages masquerading as popular tools like PostCSS - researchers have uncovered three fake packages that have racked up over 1,000 downloads and deliver a sneaky Windows remote access trojan. These lookalike packages, published just over a month ago, have been cleverly designed to fly under the radar.

Analyst 207
Two handcuffed teenagers sit somberly in a courtroom with a judge's bench and law enforcement officer in the background.

Scattered Spider Teens Plead Guilty to TfL Cyberattack

Two British teenagers, Thalha Jubair and Owen Flowers, have pleaded guilty to infiltrating Transport for London's systems, causing a £29m hit and disrupting public services in a stark reminder that cybercrime has very real-world consequences. The breach, which occurred in late August 2024, highlights the significant impact of cyberattacks on everyday life.

Analyst 207
Modern briefing room with podium and large window, suggesting a technological focus.

Five Eyes Agencies Warn of AI-Driven Cyber Threat Surge

The Five Eyes cybersecurity agencies are sounding the alarm: AI-driven cyber threats are no longer a future threat, but a present danger that businesses and governments must tackle urgently. Frontier AI will revolutionize the threat landscape in months, not years, and malicious actors are already seizing the advantage.

Analyst 207
Smartphone with WhatsApp conversation on screen sits on cluttered desk near open file folder, with cityscape in background.

WhatsApp Targeted in VBScript Campaign Installing ManageEngine RMM Tool

Malicious actors are using WhatsApp to trick victims into downloading and executing a Visual Basic Script (VBScript) file, disguised as a business or financial document, which ultimately installs a legitimate Remote Monitoring and Management (RMM) tool. The campaign has been detected in multiple countries worldwide, with Malaysia being the hardest hit.

Analyst 207