APT campaign abuses Discord, Slack, and Microsoft 365 to quietly control and exfiltrate sensitive government data
A newly identified advanced persistent threat (APT) group, GopherWhisper, has launched a highly targeted cyber espionage campaign against Mongolian government institutions. Security researchers uncovered infections across at least 12 systems, however, telemetry suggests the operation may extend far beyond these confirmed victims.
What makes this campaign particularly dangerous is its heavy reliance on Golang (Go)-based malware combined with the abuse of legitimate cloud and communication platforms. Instead of relying on traditional command-and-control (C2) infrastructure, GopherWhisper blends into normal enterprise traffic by leveraging platforms such as Discord, Slack, Microsoft 365 Outlook, and file-sharing services.
A Multi-Layered Malware Ecosystem
GopherWhisper operates with a modular and well-coordinated malware toolkit designed for persistence, stealth, and data exfiltration. Once attackers gain initial access—still an unknown vector—they deploy multiple tools in sequence.
The attack chain begins with injectors like JabGopher, which execute payloads such as LaxGopher, a Go-based backdoor. This malware communicates through Slack channels, allowing attackers to issue commands, execute system-level instructions, and deploy additional payloads.
Meanwhile, another component, RatGopher, uses private Discord servers for similar control functions. This dual-channel C2 approach increases resilience and reduces the chances of detection.
Additionally, the group deploys CompactGopher, a file harvesting utility that targets sensitive documents across formats such as PDFs, Office files, and images. It compresses the data into encrypted archives using AES-CFB-128 before exfiltrating it via file-sharing platforms.
To deepen control, the attackers also utilize SSLORDoor, a C++-based backdoor that communicates over port 443 using raw sockets. This enables file manipulation, command execution, and system reconnaissance without raising immediate suspicion.
Living Off Trusted Platforms
One of the most sophisticated aspects of this campaign is the use of trusted services for covert operations. For instance, the BoxOfFriends backdoor leverages the Microsoft Graph API to create draft emails for C2 communication using pre-configured credentials.
This tactic effectively bypasses many traditional security controls because the traffic appears legitimate. As a result, organizations relying solely on perimeter defenses or signature-based detection may fail to identify the intrusion.
Attribution Signals Point to China Alignment
While attribution in cyber operations remains complex, several indicators suggest a China-aligned threat actor. Activity patterns reveal that most command executions occur during standard working hours aligned with China Standard Time. Additionally, metadata configurations within Slack environments further support this assessment.
Why This Attack Matters
This campaign highlights a growing trend in modern cyber espionage:
- Attackers are shifting to legitimate platforms to evade detection
- Golang is becoming a preferred language for cross-platform malware
- Government entities remain high-value intelligence targets
For organizations, especially in the UAE and GCC, the implications are clear. As digital transformation accelerates, threat actors are evolving just as quickly, adopting stealthier and more scalable attack methods.
What CISOs and Security Teams Should Do
Organizations must rethink traditional detection strategies. It is no longer enough to block known malicious domains. Instead, security teams should:
- Monitor unusual activity within trusted platforms like Slack and Microsoft 365
- Implement behavioral analytics to detect anomalies in user and system behavior
- Restrict unauthorized API access and enforce strict identity controls
- Inspect encrypted outbound traffic for suspicious patterns
Additionally, adopting a Zero Trust architecture can significantly reduce the attack surface and limit lateral movement.
The Bigger Picture
GopherWhisper represents a new generation of APT operations—quiet, persistent, and deeply embedded within legitimate digital ecosystems. As attackers continue to exploit trusted tools, organizations must shift toward intelligence-driven and behavior-based cybersecurity strategies.
The question is no longer if such tactics will be used again—but how prepared organizations are to detect them in time.