Imagine a security analyst sitting in a modern Security Operations Center, staring at a dashboard filled with green lights. The network traffic looks perfectly healthy. There are no suspicious connections to unknown IP addresses in Eastern Europe or strange spikes in encrypted traffic to rogue domains. Everything looks normal because the malicious activity is happening exactly where it is supposed to: inside Microsoft 365, Slack, and Discord. This is the new reality of sophisticated cyber espionage, where attackers no longer build their own noisy infrastructure but instead hide in plain sight by hijacking the very tools that employees use to collaborate every day.
The Rise of the GopherWhisper APT Group
A sophisticated and previously undocumented threat actor, identified as the gopherwhisper apt group, has fundamentally changed the playbook for stealthy command-and-control operations. Unlike traditional hackers who might set up a dedicated server to send instructions to infected computers, this group utilizes a “living off the land” strategy on a massive scale. By leveraging legitimate cloud-based APIs and communication platforms, they can blend their malicious instructions into the massive sea of legitimate business traffic that flows through modern enterprises.
Since at least 2023, this group has been active, leaving a trail of compromised systems across various sectors. One of the most significant recent discoveries involved a campaign targeting a government entity in Mongolia, where telemetry indicated that at least 12 systems were breached. However, deeper analysis of the communication channels used by the attackers suggests that the scope is much larger, with dozens of other victims potentially falling prey to their highly specialized toolset. This group is not a collection of amateur script kiddies; they are a well-organized, state-backed entity, likely operating out of China, as evidenced by their working hours and metadata.
What makes the gopherwhisper apt group particularly dangerous is their reliance on Go-based programming. The Go language, or Golang, is increasingly popular among developers for its efficiency and ability to compile into single, portable binaries. For a threat actor, this means they can create highly effective, cross-platform malware that is difficult for traditional antivirus software to dissect. Their toolkit is modular, meaning they have different “tools for different jobs,” allowing them to pivot their tactics depending on the specific environment they have infiltrated.
1. Hijacking Slack for Stealthy Command Execution
One of the primary methods used by this group involves the use of Slack, a platform that most modern companies rely on for daily communication. They utilize a specific backdoor known as LaxGopher to turn a legitimate chat environment into a remote control center.
LaxGopher is a custom-built tool written in Go that connects to a private Slack server controlled by the attackers. Instead of reaching out to a suspicious command-and-control server, the malware simply “listens” to specific channels in Slack. When the attacker types a command into the Slack interface, the malware retrieves that text, executes it locally on the victim’s machine via the Command Prompt, and then sends the results back to the Slack channel. To a network defender, this looks like nothing more than an employee checking their messages or a bot interacting with an API.
The sheer volume of data involved in these operations is staggering. Researchers have analyzed over 6,000 Slack messages used in these campaigns, revealing a highly organized workflow. This method effectively bypasses many perimeter defenses because the traffic is encrypted and directed toward a trusted, high-reputation domain. If your company uses Slack, seeing traffic going to Slack’s servers is considered “business as usual,” which is exactly the loophole the attackers are exploiting.
How to Defend Against Slack-Based C2
To combat this, organizations should move beyond simple domain blocking. Instead, focus on API monitoring and behavioral analysis. Implement strict controls on which applications are allowed to integrate with your Slack workspace. Use Cloud Access Security Brokers (CASBs) to monitor for unusual API calls or patterns that suggest a non-human entity is interacting with your workspace in a repetitive, command-like manner. Furthermore, monitoring for the presence of unexpected DLLs, such as the whisper.dll used by the JabGopher injector, can help identify the infection before it establishes a foothold.
2. Using Discord as a Resilient Command Channel
While Slack is a staple of the corporate world, Discord is ubiquitous in many other circles and is often permitted in enterprise environments for “informal” communication. The gopherwhisper apt group exploits this by deploying another Go-based backdoor called RatGopher.
RatGopher functions similarly to its Slack-based counterpart but utilizes Discord servers for its command-and-control needs. The attackers use Discord’s robust API to send instructions and receive exfiltrated data. This is particularly effective because Discord is a massive, globally distributed service. Blocking Discord entirely might be impossible for some organizations, and even if it is blocked, the attackers can use the highly distributed nature of the platform to make their traffic appear fragmented and non-threatening.
The sophistication here lies in the automation. The attackers can post results back to configured channels, essentially creating a real-time dashboard of their progress within a victim’s network. This allows them to manage multiple compromised systems simultaneously from a single, centralized chat interface. Because Discord traffic is ubiquitous, finding the needle of a malicious command in the haystack of legitimate chat messages is an immense challenge for even the most advanced security teams.
Mitigating Discord-Based Threats
The best defense against Discord-based backdoors is a combination of endpoint detection and response (EDR) and strict application whitelisting. Since RatGopher is a Go-based tool, it will likely leave specific footprints in memory. EDR tools should be configured to flag suspicious processes that initiate network connections to Discord’s API, especially if those processes are not recognized chat applications. Additionally, restricting the ability of users to install unapproved messaging software can significantly reduce the attack surface.
3. Manipulating Microsoft 365 Drafts via Microsoft Graph API
Perhaps the most ingenious and difficult-to-detect method used by the gopherwhisper apt group is the use of Microsoft 365 Outlook drafts. This technique involves a backdoor named BoxOfFriends, which leverages the Microsoft Graph API to communicate.
Instead of sending an actual email—which would be logged by mail servers and might trigger spam filters—the malware uses the Graph API to create or modify “draft” emails within a compromised user’s Outlook account. The attacker logs into the same account from a different location, reads the draft, extracts the command, and then writes a new draft containing the results of the previous command. This creates a closed loop of communication that never actually sends a single packet through the traditional SMTP (Simple Mail Transfer Protocol) mail routing system.
This method is incredibly difficult to detect because the “communication” never leaves the Microsoft 365 cloud environment in a way that looks like traditional network traffic. The commands are essentially sitting in a database waiting to be read. To a security professional looking at network logs, there is no “connection” to a malicious server; there is only a legitimate user (the malware) interacting with their own mailbox via a standard, authorized API.
Detecting Draft-Based Command Channels
Defending against this requires a shift toward identity and API security. Organizations must monitor for anomalous API activity within Microsoft 365. For example, if a user account is suddenly making an unusual number of “Create Draft” or “Update Draft” calls via the Graph API, especially during non-working hours, this should trigger an immediate investigation. Implementing “Least Privilege” access for API tokens and ensuring that users cannot authenticate from unexpected geographic locations can also mitigate the risk of an attacker accessing these drafts.
4. Leveraging Custom Go-Based Injectors and Loaders
The gopherwhisper apt group does not just rely on the communication channel; they also use a highly sophisticated method for deploying their malware. They use a series of specialized tools like JabGopher and FriendDelivery to ensure their backdoors are deeply embedded in the system.
JabGopher acts as an injector. Its primary job is to launch a legitimate system process, such as svchost.exe, and then inject the LaxGopher backdoor (disguised as a file named whisper.dll) directly into that process’s memory. This is a classic “fileless” malware technique. Because the malicious code is running inside a trusted Windows process, it becomes much harder for basic task managers or simple security tools to spot the intrusion.
Complementing this is FriendDelivery, a malicious DLL that acts as a loader. It is designed to facilitate the execution of the BoxOfFriends backdoor. This modularity—having a loader, an injector, and then the actual backdoor—allows the attackers to update or change one part of their toolkit without having to rewrite the entire infection chain. This level of engineering is a hallmark of a professional, well-funded threat actor.
Strengthening Endpoint Integrity
To counter these injection techniques, organizations must rely on advanced EDR solutions that perform memory scanning and behavioral monitoring. Modern EDR can detect when a process attempts to perform “remote thread injection” or when a legitimate process like svchost.exe suddenly starts behaving in a way that is inconsistent with its normal function. Furthermore, enforcing code integrity policies (such as Windows Defender Application Control) can prevent unauthorized DLLs like whisper.dll from being loaded into memory in the first place.
You may also enjoy reading: Save 52% on Skullcandy Crusher Evo: Best Headphones Deal.
5. Advanced Data Exfiltration via File-Sharing Services
Once the attackers have successfully navigated a network and identified sensitive data, they need a way to get it out without raising alarms. The gopherwhisper apt group utilizes a tool called CompactGopher for this specific purpose.
CompactGopher is a Go-based utility designed to collect files from across the system, compress them to reduce their size and footprint, and then upload them to a legitimate file-sharing service called file.io. By using a service like file.io, the attackers ensure that the destination for the stolen data is a high-reputation, widely used website. If a security tool sees an upload to a known file-hosting site, it might not trigger an alert, especially if the volume of data is managed carefully to avoid “bursty” traffic patterns.
This tactic effectively turns a standard business utility into a tool for espionage. The use of compression also serves a dual purpose: it makes the data transfer faster and helps hide the true nature of the files being exfiltrated. A large, uncompressed database might look suspicious, but a single, encrypted, compressed archive being sent to a common web service is much easier to hide.
Preventing Data Exfiltration
Preventing this requires a robust Data Loss Prevention (DLP) strategy. Organizations should implement policies that monitor and restrict the upload of compressed archives (like.zip or.7z files) to unauthorized web domains. Additionally, monitoring for “outbound data spikes” to file-sharing sites can provide an early warning. A more advanced approach involves using SSL/TLS inspection to decrypt and inspect the contents of outgoing web traffic, allowing the DLP engine to see if sensitive data is being bundled into an upload.
6. Utilizing C++ Backdoors for Low-Level System Control
While much of the gopherwhisper apt group toolkit is written in Go, they also employ a C++ backdoor known as SSLORDoor. This demonstrates their ability to use different programming languages to achieve different levels of control.
SSLORDoor is designed for more traditional, low-level system operations. It uses OpenSSL BIO over raw sockets on port 443 to communicate. This allows it to perform a wide range of tasks, including executing commands, reading and writing files, deleting files, and enumerating entire drives. Because it operates on port 443—the standard port for HTTPS—its traffic is almost indistinguishable from standard web browsing at the network layer.
The inclusion of a C++ tool suggests that the group has members with deep expertise in systems programming. While Go is excellent for rapid development and portability, C++ allows for much tighter control over system resources and memory, which can be crucial for evading more granular detection mechanisms or for performing highly specific tasks on a target machine. This hybrid approach—using Go for the “cloud-native” parts of the attack and C++ for the “system-level” parts—makes them a multi-faceted threat.
Detecting Low-Level Backdoors
Detection for tools like SSLORDoor requires looking for anomalies in network socket behavior. Even if the traffic is on port 443, the way a raw socket is used can differ from how a standard web browser uses it. Security teams should look for processes that are initiating long-lived connections to external IPs on port 443 that do not correspond to known web services. Furthermore, monitoring for unusual file system activity, such as a single process rapidly enumerating or reading large numbers of files, can serve as a strong indicator of an active breach.
7. Exploiting Timezone and Metadata for Operational Security
A final, and perhaps most subtle, way the gopherwhisper apt group operates is through their disciplined adherence to operational security (OPSEC) and their ability to blend into specific regional working hours. This is not a “tool” in the software sense, but a tactical methodology that makes them harder to attribute and harder to catch.
Analysis of the group’s activity has shown a very clear pattern. The commands issued via Slack and Discord consistently align with working hours in the UTC+8 timezone. This suggests that the attackers are operating as a professional organization with set shifts, likely based in East Asia. By operating during these hours, they can ensure that their activity is synchronized with their command structure, but they also risk leaving a temporal fingerprint that researchers can use to link different campaigns together.
Furthermore, the metadata found within their Slack server communications—such as the “locale zh-CN” (Chinese)—provided a critical piece of the puzzle for investigators. This level of discipline shows that the group is not just trying to hide from software; they are trying to hide within the very fabric of human organizational behavior. They act like a real company, working real hours, using real tools, and following real workflows.
Learning from Attacker Patterns
For defenders, this highlights the importance of “threat hunting” based on behavioral patterns rather than just static indicators. Security teams should not only look for “what” is happening but also “when” it is happening. If a network shows a sudden increase in administrative activity or API calls during hours that are traditionally quiet for that specific region, it warrants an investigation. Understanding the “human” element of a cyberattack—the working hours, the language settings, and the organizational habits—is just as important as understanding the code itself.
The gopherwhisper apt group represents a new generation of threat actors who have mastered the art of “living in the cloud.” By turning our most trusted collaboration tools into weapons, they have made the job of the security professional significantly more complex. Defending against them requires a holistic approach that combines endpoint security, identity management, API monitoring, and a deep understanding of how modern, cloud-centric workflows can be subverted.
