GopherWhisper: the new state actor that turns Slack, Discord and Microsoft 365 into a command and control arsenal

ESET has revealed a sustained campaign against government entities that introduce a new actor, baptized as GopherWhisper, and whose distinctive feature is not only its origin and objectives, but the way it combines custom malware written mostly in Go with legitimate collaborative platforms - Microsoft 365 Outlook (via Microsoft Graphh), Slack and Discord - for its control and control channels (C2). It may seem like a further variation in techniques that abuse cloud services, but the mix of backdoors Go, injectors that persist in system processes and the use of public file exchange services makes this operation a relevant threat to public administrations and organizations with sensitive data.

From a technical perspective, the discovered toolkit includes components such as a main backdoor written in Go (LaxGopher) that consults commands from a private Slack server, another backdoor that uses Discord (RatGopher), one that manipulates mail erasers in Outlook through the Microsoft GraphAPI(BoxOffFriends), drivers / injectors that hide payloads in genuine processes (JabGopher, FriendDelivery) and an exfiltration utility (CompactGopher) that compresses data and uploads them to services like file.i. A C + + + backdoor was also identified using OpenSSL on raw sockets (SSLORDoor), which demonstrates the technical variety and intention of persistence and data extraction.

A key finding of the report is the presence of credentials embedded in the Go binaries, which allowed researchers to recover complete C2: thousands of messages in Slack and Discord, uploaded files and issued orders. The analysis of time marks and metadata points to an activity pattern during working hours compatible with the time zone UTC + 8 and metadata that suggest Chinese configuration (locale zh-CN), data that strengthened the attribution to an actor with state support and probable operational base in that region.

The practical implications are multiple. First, relying on the legitimacy of an external platform is no longer a safety criterion: collaborative services can act as legitimate tunnels for malicious instructions and to move data without lifting standard traffic alerts C2. Second, the use of binaries written in Go makes it difficult to detect traditional static because Go's executables are often large and self-inclusive, which complicates identification based on simple signatures. Third, the drunk credentials and abuse of legitimate APIs increase the cost of forensic investigation and response, as the opponent reuses communication paths that seem to be legitimate traffic.

For defenders and security officials, there are concrete and urgent measures that reduce the area of exposure. Auditing and revoking tokens and OAuth applications / consisting of Microsoft 365, Slack and Discord should be a priority; reviewing integrations that have extensive permissions on mailboxes or channels, and limiting the use of erasers as an automating channel are immediate steps. In Microsoft environments, activate conditional access policies, require MFA for API permissions and enable records and extended retention for Microsoft Graphh looms increase visibility to platform furtive abuse.

In endpoints and network it is appropriate to strengthen the telemetry focused on Go binaries and behavior patterns: monitor processes that inject code into svchost.exe, detect unusual DLs that act as loaders, and apply locking rules or alerts for outgoing connections to public file exchange services (such as fili.io) or to domains / controllers associated with published IoC. TLS inspection and legress filtering can help, although they need to balance privacy and performance on government networks.

Shared intelligence and coordinated response are essential. ESET has published a technical report with details and a repository with commitment indicators that defence teams can integrate into their detection and hunting systems; it is recommended to incorporate them into ICES, EDR and lock lists. You can read the ESET analysis on your blog and download the technical report from your official resources: ESET - GopherWhisper: analysis and ESET - Technical Report (PDF). Indicators are also available in the public repository: IoC GotherWhisper in GitHub.

For policy makers and compliance, this case highlights the need for regulations and contracts that require accessible audit records and cooperation with incident response, in addition to the importance of continuity plans that provide for exfiltration to public services. Organizations that handle state or strategic information should treat the integration of third parties with the same rigour as the code itself, applying principles of minimum privilege, continuous review and safety tests.

Finally, for operational security equipment: design sinking exercises that include searches for activity patterns in Slack / Discord that do not correspond to legitimate use, for modification of erasers in mail boxes and for unexpected go processes. Enable and retain sufficient logs to rebuild attack chains and coordinate with cloud suppliers and collaboration platforms to accelerate containment. GopherWhisper's technical sophistication shows that state threats are adapting tactics to global collaborative infrastructure; defence requires a combination of technical controls, enhanced visibility and collaboration between public, private and service providers.