A New APT Group Called GopherWhisper Is Using Slack and Discord as Command-and-Control Channels

A New APT Group Called GopherWhisper Is Using Slack and Discord as Command-and-Control Channels

A newly documented APT group called GopherWhisper has been operating since at least 2023, using Slack, Discord, and the Microsoft Graph API as command-and-control channels. By routing attacker commands through legitimate SaaS platforms rather than dedicated C2 servers, GopherWhisper makes its traffic nearly indistinguishable from normal enterprise communication — a technique that defeats most network-level detection that looks for connections to known malicious infrastructure.

How GopherWhisper Operates

The group's primary backdoor, LaxGopher, was first identified in January 2025 but was active in attacks from at least late 2023. GopherWhisper uses six Go-based tools — including LaxGopher, RatGopher, BoxOfFriends, and SSLORDoor — for command execution and data exfiltration via file.io.

Researchers recovered 6,044 Slack messages from August 2024 onward and 3,005 Discord messages from November 2023, providing a detailed operational timeline. The volume of recovered messages suggests the group has been conducting sustained, ongoing operations rather than one-time intrusions.

The SaaS C2 Technique

Using Slack, Discord, and Microsoft Graph API for command-and-control is a growing trend among sophisticated threat actors. Enterprise networks routinely allow outbound traffic to these platforms — blocking them would break legitimate business operations. A security tool monitoring for connections to suspicious IP addresses or domains will not flag traffic to api.slack.com or discord.com. Detection requires behavioral analysis of the communication patterns, not just destination filtering.

Confirmed Victims

Twelve systems in the Mongolian government have been confirmed as victims. Researchers note the methodology suggests "dozens of other victims" across other geographies, though the full scope of the campaign is not yet documented. The targeting of Mongolian government systems is consistent with operations attributed to China-linked threat actors that have historically focused on Central Asian government targets.

My Take

SaaS-based C2 represents a fundamental detection challenge: the traffic is legitimately encrypted, the destination domains are whitelisted by default, and the communication patterns look like normal business collaboration. GopherWhisper is not the first group to use this technique, but the scale and sophistication of the documented operation — six custom tools, three separate C2 platforms, years of sustained activity — suggests this is a well-resourced actor with long-term objectives. Network defenders need behavioral detection, not just blocklists.

Related Articles

Sources