HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

APT Group GopherWhisper Leverages Outlook, Slack, and Discord for C2 Against Government Entities

GopherWhisper, a China‑linked APT, is weaponising Microsoft 365 Outlook, Slack, and Discord as command‑and‑control channels to target government agencies. The group deploys multiple Go‑based backdoors and exfiltrates data via file.io, highlighting the risk of compromised third‑party SaaS credentials for TPRM.

🛡️ LiveThreat™ Intelligence · 📅 April 23, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

APT Group GopherWhisper Leverages Outlook, Slack, and Discord for C2 Against Government Entities

What Happened – A previously undocumented, China‑linked APT group dubbed GopherWhisper has been using a custom Go‑based toolkit that abuses legitimate SaaS platforms—Microsoft 365 Outlook, Slack, and Discord—for command‑and‑control (C2) communications. The campaign, uncovered by ESET, targets government bodies (e.g., a Mongolian agency) and employs multiple backdoors (LaxGopher, RatGopher, BoxOfFriends, etc.) that retrieve commands from private channels and exfiltrate data via file.io.

Why It Matters for TPRM

  • Third‑party SaaS services can be weaponised as covert C2 channels, bypassing traditional network‑perimeter detections.
  • Hard‑coded credentials in the malware give attackers persistent access to vendor platforms, exposing any downstream supply‑chain relationships.
  • Government‑level targeting signals a high‑risk threat landscape for any organisation that relies on the same collaboration tools.

Who Is Affected – Government and public‑sector organisations; any entity that uses Microsoft 365 Outlook, Slack, or Discord for internal communications and may be exposed to compromised third‑party accounts.

Recommended Actions

  • Review and rotate all service‑account credentials for Outlook, Slack, and Discord; enforce MFA where possible.
  • Implement strict monitoring of outbound traffic to SaaS APIs and enforce least‑privilege scopes for service accounts.
  • Conduct a supply‑chain risk assessment of any third‑party integrations that could be leveraged for C2.

Technical Notes – The toolkit consists of Go‑based backdoors (LaxGopher, RatGopher, BoxOfFriends) and a C++ socket backdoor (SSLORDoor). C2 is conducted via Microsoft Graph API (draft‑email manipulation), private Slack workspaces, and Discord channels. Exfiltration uses the public file‑sharing service file.io. Researchers recovered >6,000 Slack messages and >3,000 Discord messages, confirming the use of hard‑coded credentials and linking the actors to China. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-gopherwhisper-apt-group-abuses-outlook-slack-discord-for-comms/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →