Find notable cyber news and cases, enriched with sources, timelines, and signals.

GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

The GopherWhisper malware set now combines Go-based backdoors and exfiltration tools that abuse Slack, Discord, Microsoft 365 Outlook, and Microsoft Graph API for C2. That matters because it hides command traffic inside legitimate services while enabling command execution and data theft. The toolkit also includes injection and loader components that expand its reach on Windows systems.

Related Happenings

TinyRCT backdoor used in CL-STA-1062 Southeast Asia intrusions

Malware Activity
H score15 First: 26.06.2026 19:21 Last: 26.06.2026 19:21 Sources 1

About this happening: The newly documented **TinyRCT** backdoor gives **CL-STA-1062** a custom remote-access payload for **government and critical-infrastructure targets in Southeast Asia**, expanding...

SprySOCKS Windows backdoor activity against government organizations

Malware Activity
H score23 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
H score28 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

GopherWhisper China-aligned APT campaign targeting Mongolian government institutions

Campaign
H score30 First: 23.04.2026 12:04 Last: 23.04.2026 12:04 Sources 1

How related: In a campaign identified by cybersecurity company ESET, the threat actor targeted a government entity in Mongolia and deployed a malware set with multiple backdoors that used Slack, Discord, and the Microsoft Graph API for command-and-control (C2) communication.

About this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...

GoGra Linux backdoor uses Microsoft Graph API and Outlook for covert command delivery

Malware Activity
H score23 First: 22.04.2026 13:00 Last: 22.04.2026 13:00 Sources 1

About this happening: The **GoGra** malware family now includes a **Linux backdoor variant** that uses **Microsoft Graph API** and an **Outlook inbox** for covert command delivery, making operator comm...

Timeline

  1. 23.04.2026 15:06 1 articles · 2mo ago

    Discord C2 history on 2023-11-16

    Detection Ioc Update

    Recovered Discord message history tied to GopherWhisper extends back to November 16, 2023, showing early command-and-control activity through a private Discord server with commands and results posted in the configured channel.

    Show sources
  2. 23.04.2026 15:06 1 articles · 2mo ago

    Slack C2 history on 2024-08-21

    Detection Ioc Update

    Recovered Slack message history tied to GopherWhisper extends back to August 21, 2024, establishing early Slack-based command-and-control activity through a private Slack server.

    Show sources
  3. 23.04.2026 15:06 2 articles · 2mo ago

    Public disclosure of GopherWhisper toolkit and targeting

    Initial Disclosure

    Public disclosure on 2026-04-23 identified GopherWhisper as a previously undocumented China-linked state-backed actor targeting government entities, including a Mongolian government entity, with a Go-based malware set that used Microsoft 365 Outlook, Slack, Discord, Microsoft Graph API, and File.io for C2 and exfiltration; the disclosed toolkit included LaxGopher, RatGopher, BoxOfFriends, SSLORDoor, JabGopher, FriendDelivery, and CompactGopher, and telemetry indicated 12 systems in one Mongolian government institution plus dozens of other victims.

    Show sources