GopherWhisper APT Group Hides Command‑and‑Control Traffic in Slack, Discord, Outlook Drafts, and file.io
What Happened – Researchers at ESET identified a China‑aligned advanced‑persistent‑threat (APT) group, dubbed GopherWhisper, that runs its command‑and‑control (C2) infrastructure through everyday collaboration services—private Slack workspaces, Discord servers, Outlook draft messages, and the file.io file‑sharing service. The group’s Go‑based backdoors (LaxGopher, RatGopher, BoxOfFriends) and a C++ backdoor (SSLORDoor) pull instructions from these platforms and exfiltrate data via file.io.
Why It Matters for TPRM –
- Legitimate SaaS collaboration tools can be weaponised, bypassing traditional network‑perimeter detections.
- Third‑party risk assessments must include monitoring of cloud‑based communication platforms for anomalous API usage.
- Compromise of a vendor’s collaboration environment can provide attackers indirect access to multiple client organisations.
Who Is Affected – Government agencies, enterprises that rely on Slack, Discord, Microsoft 365 (Outlook), and any organisation that uses file.io for file exchange.
Recommended Actions –
- Review contracts and security questionnaires for SaaS collaboration providers; require logging of API token usage.
- Enforce strict least‑privilege access for integration tokens and rotate them regularly.
- Deploy UEBA or DLP solutions that can flag atypical file‑sharing or messaging patterns on these platforms.
Technical Notes – The C2 chain leverages legitimate APIs: Slack and Discord bot tokens for command retrieval, Microsoft Graph API for Outlook draft manipulation, and file.io for exfiltration of packaged data. No public CVEs are involved; the threat relies on abuse of trusted services. Source: Help Net Security