SuricataSuricata was at BotConf on April 14, with Peter Manev and Éric Leblond ( @Regit ) leading a hands-on workshop.
Good to spend time in person with people digging into the practical side of the project and working through the details together.
ESET Research#ESETresearch discovered #GopherWhisper, a new China-aligned APT group that targeted a governmental entity in Mongolia. https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/
The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal.
Of the seven tools we discovered, four are backdoors – LaxGopher, RatGopher, and BoxOfFriends are written in Go, and SSLORDoor in C++. The rest comprise the injector JabGopher, the Go-based exfiltration tool CompactGopher, and the loader FriendDelivery.
GopherWhisper abuses legitimate services, notably #Discord, #Outlook, #Slack, and file.io for C&C communication and exfiltration. We managed to extract thousands of Slack and Discord C&C messages, gaining insight into the inner workings of the group.
Timestamp inspection of the messages showed that the bulk were sent during working hours in the UTC+8 time zone, which aligns with China. We also discovered that the group’s Slack and Discord servers were being used as C&Cs for LaxGopher and RatGopher.
We presented these findings on April 15th, at the #Botconf2026 conference in a talk titled Meet GopherWhisper: Uncovering an APT’s secrets through its own words.
Our detailed analysis of GopherWhisper’s toolset and C&C traffic is also available in our latest white paper: https://web-assets.esetstatic.com/wls/en/papers/white-papers/gopherwhisper-burrow-full-malware.pdf IoCs can be found there, as well as in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/gopherwhisper
The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal.
Of the seven tools we discovered, four are backdoors – LaxGopher, RatGopher, and BoxOfFriends are written in Go, and SSLORDoor in C++. The rest comprise the injector JabGopher, the Go-based exfiltration tool CompactGopher, and the loader FriendDelivery.
GopherWhisper abuses legitimate services, notably #Discord, #Outlook, #Slack, and file.io for C&C communication and exfiltration. We managed to extract thousands of Slack and Discord C&C messages, gaining insight into the inner workings of the group.
Timestamp inspection of the messages showed that the bulk were sent during working hours in the UTC+8 time zone, which aligns with China. We also discovered that the group’s Slack and Discord servers were being used as C&Cs for LaxGopher and RatGopher.
We presented these findings on April 15th, at the #Botconf2026 conference in a talk titled Meet GopherWhisper: Uncovering an APT’s secrets through its own words.
Our detailed analysis of GopherWhisper’s toolset and C&C traffic is also available in our latest white paper: https://web-assets.esetstatic.com/wls/en/papers/white-papers/gopherwhisper-burrow-full-malware.pdf IoCs can be found there, as well as in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/gopherwhisper
Botconf
JonasFirst day of the @botconf 2026! It's alive and kicking at https://m.youtube.com/BotconfTV
Here's an exclusive behind the scenes picture of the control room
(Don't mind the clusterfudge of cables :~)
#Botconf2026 is back online at https://youtube.com/BotconfTV
#Botconf2026 When presentations are live, you can follow them on https://www.youtube.com/BotconfTV
#Botconf2026 - We have just finished the selection of our last minute talks thanks to our #SprintCFP ! Great additions to our agenda with some fresh cases and research.
To register and join us in Reims next month, please follow this link: https://www.botconf.eu/, we still have seats available !
To register and join us in Reims next month, please follow this link: https://www.botconf.eu/, we still have seats available !
#Botconf2026 is offering a new option for talk proposals: the #SprintCFP
Our CFP platform is now ready to receive all late-breaking contributions: freshly completed research, new discoveries, and just-released findings that missed the main CFP deadline.
Two slots are reserved for your best and freshest research!
The dates of #Botconf2026 - The Botnet and Malware Ecosystems Fighting Conference have been confirmed for our
13th ed - Workshops (14th) & Conference (15th-17th) April 2026 in Reims, France
The CFP is online and ends on January 2nd 2026
The call for proposals for #Botconf2026 has been published. You have until January 2nd 2026 to send your submissions