Chinese Nation‑State “GopherWhisper” Embeds Hard‑Coded C2 Credentials in Go‑Based Backdoors, Exposes Government Agencies
What Happened — ESET researchers identified a previously unknown Chinese state‑sponsored group, dubbed GopherWhisper, that hard‑coded command‑and‑control (C2) credentials into Go‑written backdoors (RatGopher, LaxGopher). The group leveraged Slack, Discord, Microsoft Office and file.io for C2 and exfiltration, leaving extensive logs that revealed their tooling and operational patterns.
Why It Matters for TPRM —
- Hard‑coded credentials dramatically increase the risk of lateral movement across third‑party environments.
- Use of popular SaaS platforms (Slack, Discord, Office 365) as C2 channels can bypass traditional network‑perimeter controls.
- The campaign targeted a Mongolian government agency, highlighting the exposure of public‑sector supply chains to nation‑state espionage.
Who Is Affected — Government and public‑sector entities, especially those that integrate SaaS collaboration tools and outsource IT services to MSPs.
Recommended Actions —
- Audit all third‑party SaaS accounts for anomalous usage patterns and enforce MFA.
- Conduct credential hygiene reviews; replace any hard‑coded secrets in custom integrations.
- Verify that MSPs and MSSPs apply strict logging, log‑retention, and monitoring on C2‑related traffic.
Technical Notes — The backdoors are written in Go and contain static C2 usernames/passwords. Communication occurs over Slack, Discord, Microsoft Office APIs, and file.io for data exfiltration. No specific CVE is referenced; the risk stems from insecure development practices and abuse of legitimate cloud services. Source: DataBreachToday