A previously undocumented state-backed threat actor called GopherWhisper has used a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord to conduct command-and-control and exfiltration against government entities. ESET linked the actor to China after recovering hardcoded credentials and thousands of Slack and Discord messages, and identified multiple Go-based backdoors including LaxGopher, RatGopher, and BoxOfFriends. #GopherWhisper #LaxGopher
Keypoints
- GopherWhisper has been active since at least 2023 and is attributed to China.
- The threat actor leverages Go-based tools and legitimate services (Slack, Discord, Microsoft Graph API/Outlook) for C2 and payload delivery.
- ESET identified multiple implants and utilities: LaxGopher, RatGopher, BoxOfFriends, SSLORDoor, JabGopher, FriendDelivery, and CompactGopher, plus a file.io exfiltration tool.
- Researchers recovered hardcoded credentials and analyzed 6,044 Slack messages and 3,005 Discord messages revealing commands, uploaded files, and operational timings.
- Telemetry shows 12 systems compromised in a Mongolian government institution and indicates dozens of additional victims identified via C2 traffic.