Researchers from the Slovak cybersecurity firm ESET have identified a previously unknown China-linked advanced persistent threat (APT) group dubbed GopherWhisper. The group leverages legitimate platforms—including Discord, Slack, Microsoft 365 Outlook, and file-sharing services—to carry out command-and-control (C&C) communications and data exfiltration.
Active since at least November 2023, the group is believed to operate from China based on timestamp analysis of chat logs and email activity. It deploys a suite of custom malware tools—primarily written in Go—using injectors and loaders to install backdoors and facilitate cyber-espionage.
Among the identified tools are several backdoors, including LaxGopher, RatGopher, BoxOfFriends, and SSLORDoor, as well as a data exfiltration tool, an injector, and a malicious DLL. Notably, the malware exhibits no code or tactical overlap with previously known threat actors, leading ESET to classify it as a distinct new APT group.
The campaign was first uncovered in January 2025 within a Mongolian government system, where the LaxGopher backdoor was observed using Slack for C&C operations. Subsequent analysis indicates that, in addition to the Mongolian target, dozens of other organizations may have been affected.
Source: Epoch Times, April 26, 2026
https://www.epochtimes.com/gb/26/4/25/n14749648.htm