GopherWhisper APT: Slack & Microsoft 365 C2 Risk to SAMA Banks

ESET researchers have publicly disclosed a previously undocumented China-aligned threat group dubbed GopherWhisper — an espionage operator that has been quietly weaponising Discord, Slack, Microsoft 365 Outlook and file.io as command-and-control (C2) channels since at least November 2023. While the confirmed targets so far sit inside Mongolian government institutions, the tradecraft on display directly maps onto the cloud stack that every SAMA-regulated Saudi bank uses today.

What ESET Uncovered: A Burrow Full of Go-Based Backdoors

In its 23 April 2026 disclosure, ESET attributes seven distinct tools to GopherWhisper, most of them written in Go. The collection includes the LaxGopher backdoor that pulls commands from a private Slack workspace, RatGopher which receives instructions from a Discord channel, BoxOfFriends which abuses the Microsoft Graph API to pass commands through draft emails in Outlook, an exfiltration tool called CompactGopher that ships compressed loot to file.io, the JabGopher injector, the FriendDelivery loader, and a C++ backdoor named SSLORDoor that talks raw TLS over port 443. Forensic analysis of activity timestamps across the captured Slack and Discord workspaces showed operator working hours of 08:00–17:00 UTC+8, aligning with China Standard Time.

The "Living Off Trusted Cloud" Playbook

The defining characteristic of GopherWhisper is not exotic zero-days — it is the deliberate choice to ride only on services every enterprise already trusts. Outbound TLS to graph.microsoft.com, slack.com, discord.com or file.io blends straight into normal business traffic. Traditional egress filtering, IP-based blocklists, and even many DNS-layer controls treat these destinations as benign. By using draft emails inside a hijacked Microsoft 365 tenant for C2, BoxOfFriends never even sends a message — instructions are read and overwritten in the drafts folder, leaving almost no telemetry in mail-flow logs. This is the 2026 evolution of "living off the land": adversaries have moved up the stack from cmd.exe and PowerShell to SaaS APIs.

Why This Is a Direct Risk Signal for Saudi Banks

The same cloud services GopherWhisper abuses — Microsoft 365 and Slack in particular — sit at the heart of every Saudi financial institution's collaboration stack. Saudi banks have aggressively migrated workflows to M365, Teams and Exchange Online over the last three years, and many fintechs and treasury teams now run on Slack. A China-aligned actor proves the technique works against a government target today; an Iran-aligned APT such as MuddyWater or APT33 — both of which have repeatedly targeted Gulf financial entities — can replicate the playbook tomorrow. The MITRE ATT&CK techniques in play (T1071.001 Web Protocols, T1102 Web Service, T1567.002 Exfiltration to Cloud Storage) are not theoretical for the Kingdom; they are simply under-instrumented in most local SOCs.

Mapping to SAMA, NCA and PDPL Obligations

Under the SAMA Cyber Security Framework and the SAMA Cyber Security Control Catalogue (CSCC), banks are required to detect anomalous behaviour on critical assets, log API activity for cloud services, and exercise continuous threat intelligence integration. The NCA ECC-2 control 2-12 explicitly demands monitoring of cloud-hosted services, and ECC 2-13 mandates detection of advanced persistent threats. A C2 channel embedded in a draft email or a Discord webhook will not trigger any rule built around malware hashes, IDS signatures, or perimeter firewalls — it requires identity-centric and behaviour-centric detection. PDPL adds a third layer: if exfiltration occurs through file.io or Outlook drafts, the bank still bears the notification burden under Articles 20 and 21, regardless of the channel.

Practical Hardening Steps for Saudi Financial CISOs

1. Enable and forward Microsoft 365 Unified Audit Log, Graph API activity, and Exchange MailItemsAccessed events to your SIEM, and write detections for unusual draft-email read/write patterns by service principals or non-human identities.
2. Block egress to file.io, transfer.sh, 0x0.st and similar anonymous file-share endpoints from production endpoints and servers — there is no business case for them inside a SAMA-regulated environment.
3. Apply Conditional Access policies that disallow Microsoft Graph access from non-managed devices and unfamiliar geographies; review every OAuth-consented application quarterly.
4. For sanctioned Slack and Discord usage, enforce SSO + phishing-resistant MFA, restrict bot/webhook creation to a small admin group, and stream Slack Audit Logs API events into your SIEM with detections for new outgoing webhooks and elevated token scopes.
5. Hunt for Go-compiled binaries with unusually large size and stripped symbols on endpoints, and baseline outbound TLS SNI to graph.microsoft.com from server segments — abnormal volumes from a database or jump host are a red flag.
6. Add the published GopherWhisper IOCs from ESET's WeLiveSecurity report into your TIP and run retrospective searches across 24 months of proxy and EDR telemetry.
7. Update your SAMA CSCC 3.3 incident response playbooks to include cloud-native C2 scenarios, and rehearse them with purple-team exercises rather than tabletop alone.

Conclusion

GopherWhisper is a reminder that the next intrusion into a Saudi bank may not arrive through a CVE on the perimeter — it may already be sitting in an Outlook drafts folder or a forgotten Slack workspace. Defending against it requires telemetry, not tools: identity logs, API audit streams, and skilled threat hunters who know what "normal" looks like inside your tenant.

Is your organisation prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a dedicated Microsoft 365 / SaaS threat-hunting review aligned to NCA ECC and SAMA CSCC.