A previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities.

BleepingComputer

A newly identified Chinese state-backed APT group called GopherWhisper has been targeting government entities using a Go-based malware toolkit. The group abuses legitimate services — Slack, Discord, and Microsoft 365 Outlook via the Graph API — for command-and-control communications, making detection harder. ESET researchers discovered multiple backdoors (LaxGopher, RatGopher, BoxOfFriends, SSLORDoor) and support tools, and were able to access attacker accounts due to hardcoded credentials in the malware. Analysis of C2 traffic timestamps and locale metadata strongly links the group to China. At least 12 systems in a Mongolian government institution were confirmed compromised, with dozens of additional victims suspected. ESET has published indicators of compromise to aid defenders.

New GopherWhisper APT group abuses Outlook, Slack, Discord for comms