23.04.2026
3 min
216
A new APT group, GopherWhisper, is using legitimate services like Outlook, Slack, and Discord to orchestrate attacks and collect data. The campaign is targeting government entities and has already compromised dozens of targets.
The group has likely been active since at least 2023.
China is suspected of being the country where the hackers are located. Researchers also suspect there could be a dozen or even more victims of this campaign.
ESET researchers have detailed descriptions of the group’s activities. A confirmed victim was a government agency based out of Mongolia. The hackers loaded onto the network a full range of different types of malware and installed many backdoors. The hackers used common applications and services such as Microsoft Graph API, Slack and Discord to manage the backdoors; therefore, all traffic appears legitimate.
One feature of GopherWhisper’s data collection methods is how they compress data before sending it off to their file.io service. This makes it harder to identify what is happening.
Researchers identified the first tool developed by GopherWhisper — the LaxGopher backdoor — when they reviewed logs in early January 2025. LaxGopher is a Go-based backdoor that communicates through Slack, runs commands entered into Slack, and can also run additional modules using the command-line interface.
Review of additional log entries showed that LaxGopher is just one component of a complete suite of tools used by the group. The suite includes the following:
– RatGopher – a Discord-based rat that will send back the results of each command entered into Discord;
– BoxOfFriends – utilizes Outlook and Microsoft Graph to send encrypted drafts of emails to communicate to the actors (in addition to other means);
– SSLORDoor – a C++-based backdoor that communicates over port 443 and provides both file management capabilities and system management;
– JabGopher – an injector that uses svchost.exe to launch a new process and inject malicious code directly into memory;
– FriendDelivery – a DLL loader for loading the other components;
– CompactGopher – a data collection/compression tool for sending stolen data off to file.io.
All of these tools appear to operate as typical user activity would.
It is interesting to note that researchers were able to gain access to the attackers’ Slack and Discord accounts because their login credentials had been embedded into the source code of the backdoor.
Because researchers gained access to the attackers’ accounts, they were able to restore the attackers’ communications channels and review thousands of messages exchanged between the attackers.
“Upon analyzing our capture we saw a total of 6,044 messages exchanged on Slack… as well as 3,005 messages exchanged on Discord,” according to ESET’s report detailing the research.
Analysis of those messages allowed researchers to narrow down the geographical location of the attacks. Time stamps associated with the attacks correlated to work days in the UTC + 8 time zone. Most of the activity occurred within typical business hours after accounting for time zones. These factors point towards a possible Chinese origin for the attack.
At least twelve systems in one government agency in Mongolia were compromised in one single attack, however researchers believe that the actual number of victims could be significantly greater than that.
