GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2
Malware Activity
Summary
Hide ▲
Show ▼
The GopherWhisper malware set now combines Go-based backdoors and exfiltration tools that abuse Slack, Discord, Microsoft 365 Outlook, and Microsoft Graph API for C2. That matters because it hides command traffic inside legitimate services while enabling command execution and data theft. The toolkit also includes injection and loader components that expand its reach on Windows systems.
Related Happenings
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
Campaign
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
How related:
In a campaign identified by cybersecurity company ESET, the threat actor targeted a government entity in Mongolia and deployed a malware set with multiple backdoors that used Slack, Discord, and the Microsoft Graph API for command-and-control (C2) communication.
About this happening:
The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
CampaignHow related: In a campaign identified by cybersecurity company ESET, the threat actor targeted a government entity in Mongolia and deployed a malware set with multiple backdoors that used Slack, Discord, and the Microsoft Graph API for command-and-control (C2) communication.
About this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
GoGra Linux backdoor uses Microsoft Graph API and Outlook for covert command delivery
Malware Activity
First: 22.04.2026 13:00
Last: 22.04.2026 13:00
Sources 1
About this happening:
The **GoGra** malware family now includes a **Linux backdoor variant** that uses **Microsoft Graph API** and an **Outlook inbox** for covert command delivery, making operator comm...
GoGra Linux backdoor uses Microsoft Graph API and Outlook for covert command delivery
Malware ActivityAbout this happening: The **GoGra** malware family now includes a **Linux backdoor variant** that uses **Microsoft Graph API** and an **Outlook inbox** for covert command delivery, making operator comm...
External Microsoft Teams helpdesk-impersonation campaign
Campaign
First: 20.04.2026 18:11
Last: 20.04.2026 18:11
Sources 1
About this happening:
A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...
External Microsoft Teams helpdesk-impersonation campaign
CampaignAbout this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...
WhatsApp-delivered VBS Windows infection campaign
Campaign
First: 01.04.2026 14:49
Last: 01.04.2026 14:49
Sources 1
About this happening:
A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...
WhatsApp-delivered VBS Windows infection campaign
CampaignAbout this happening: A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...
Timeline
-
23.04.2026 15:06 1 articles · 1mo ago
Discord C2 history on 2023-11-16
Detection Ioc UpdateRecovered Discord message history tied to GopherWhisper extends back to November 16, 2023, showing early command-and-control activity through a private Discord server with commands and results posted in the configured channel.
Show sources
- New GopherWhisper APT group abuses Outlook, Slack, Discord for comms — www.bleepingcomputer.com — 23.04.2026 15:06
-
23.04.2026 15:06 1 articles · 1mo ago
Slack C2 history on 2024-08-21
Detection Ioc UpdateRecovered Slack message history tied to GopherWhisper extends back to August 21, 2024, establishing early Slack-based command-and-control activity through a private Slack server.
Show sources
- New GopherWhisper APT group abuses Outlook, Slack, Discord for comms — www.bleepingcomputer.com — 23.04.2026 15:06
-
23.04.2026 15:06 2 articles · 1mo ago
Public disclosure of GopherWhisper toolkit and targeting
Initial DisclosurePublic disclosure on 2026-04-23 identified GopherWhisper as a previously undocumented China-linked state-backed actor targeting government entities, including a Mongolian government entity, with a Go-based malware set that used Microsoft 365 Outlook, Slack, Discord, Microsoft Graph API, and File.io for C2 and exfiltration; the disclosed toolkit included LaxGopher, RatGopher, BoxOfFriends, SSLORDoor, JabGopher, FriendDelivery, and CompactGopher, and telemetry indicated 12 systems in one Mongolian government institution plus dozens of other victims.
Show sources
- New GopherWhisper APT group abuses Outlook, Slack, Discord for comms — www.bleepingcomputer.com — 23.04.2026 15:06
- New GopherWhisper APT group abuses Outlook, Slack, Discord for comms — www.bleepingcomputer.com — 23.04.2026 15:06