Overview
- ESET on Thursday detailed a previously unknown APT called GopherWhisper that hides command-and-control in Slack, Discord and Outlook drafts, uses file.io for data theft, and released indicators of compromise for defenders.
- LaxGopher talks to a private Slack workspace, RatGopher uses a Discord server, BoxOfFriends communicates through Microsoft Graph by editing Outlook draft emails, and a C++ tool named SSLORDoor talks over encrypted traffic on port 443.
- Investigators extracted thousands of Slack and Discord messages plus Outlook drafts after finding hard-coded tokens and credentials in the malware, exposing operator commands, development notes and timelines.
- Telemetry tied about 12 infected systems to a Mongolian government entity, while Slack and Discord traffic point to dozens of additional, unidentified victims beyond that environment.
- Timestamps clustered around UTC+8 work hours and a Slack locale set to zh-CN support a China link, and researchers say the initial break-in method is still unknown.