GopherWhisper APT Abuses Discord and Slack to Spy on Mongolia

A previously unknown China-aligned threat group has compromised at least 12 systems within Mongolian government institutions, according to ESET Research. The group, dubbed GopherWhisper, stands out for its heavy reliance on Go-based backdoors and abuse of legitimate cloud services—Discord, Slack, and Microsoft 365 Outlook—for command-and-control communications.

ESET researchers first discovered the group in January 2025 when they found an undocumented backdoor called LaxGopher on a system belonging to a Mongolian government entity. Further investigation revealed the group had been active since at least November 2023, building out a sophisticated toolkit designed to evade detection by blending into normal enterprise traffic.

What is GopherWhisper?

GopherWhisper is a China-aligned advanced persistent threat group targeting governmental institutions in Mongolia. The name reflects the group's preference for Go-based (Gopher) malware and its stealthy operational approach. Unlike many APT groups that rely on custom C2 infrastructure, GopherWhisper hides its communications within legitimate cloud platforms that organizations typically allow through firewalls.

How the Attack Works

The campaign deploys a modular toolkit consisting of four backdoors and several supporting utilities:

Go-Based Backdoors:

• LaxGopher uses Slack workspaces for C2, executing commands via cmd.exe and downloading additional payloads
• RatGopher operates through private Discord servers, handling command execution and file operations via file.io
• CompactGopher collects documents (.doc, .docx, .xls, .xlsx, .pdf, .ppt, .pptx), compresses them with AES-CFB-128 encryption, and exfiltrates through file.io
• BoxOfFriends abuses Microsoft Graph API to create draft emails in compromised Outlook accounts for C2

Supporting Tools:

• JabGopher injects and executes the LaxGopher backdoor DLL (whisper.dll)
• FriendDelivery serves as a malicious DLL loader for BoxOfFriends
• SSLORDoor is a C++-based backdoor using OpenSSL on port 443 for file operations

The reliance on Discord, Slack, and Outlook makes network-based detection challenging. These services generate substantial legitimate traffic in most organizations, and the encrypted channels they provide give attackers a degree of plausible cover. This technique mirrors approaches seen in other APT campaigns targeting critical infrastructure, where blending with legitimate traffic has become standard practice.

Attribution Evidence

ESET's attribution to China rests on several factors. Analysis of C&C message timestamps showed activity concentrated between 8 a.m. and 5 p.m., aligning with China Standard Time working hours. Slack metadata also indicated the configured user locale matched this timezone. The earliest known attacker-controlled Outlook account ([email protected]) was created on July 11, 2024.

Scale of Compromise

Telemetry shows approximately 12 systems within the targeted Mongolian governmental institution were infected. But the picture may be worse—C&C traffic analysis from attacker-controlled Discord and Slack servers suggests "dozens of other victims" beyond the confirmed infections. The full scope of GopherWhisper's operations remains unclear.

Detection and Defense

Organizations should monitor for:

1. Unusual Discord/Slack traffic from endpoints that don't normally use these services
2. Microsoft Graph API calls creating draft emails, especially to unfamiliar accounts
3. File.io uploads from non-standard processes
4. Go binaries exhibiting backdoor behavior (command execution, file operations)

The campaign demonstrates how nation-state actors continue adapting their techniques to bypass traditional defenses. By weaponizing trusted cloud services, GopherWhisper achieves persistence while avoiding the infrastructure costs and operational risks of maintaining custom C2 servers.

Why This Matters

Mongolia's position between Russia and China makes it a persistent target for espionage operations. The discovery of GopherWhisper adds another actor to the already crowded landscape of threats facing the region. For defenders elsewhere, the campaign offers a preview of where APT tradecraft is heading—away from suspicious standalone infrastructure and toward abuse of the platforms organizations already trust.

Security teams should review their visibility into cloud service usage patterns. If you can't distinguish between legitimate Slack messages and malware beacons, you've got a gap that groups like GopherWhisper will exploit. For more context on how nation-state actors operate, our recommended cybersecurity books include detailed analysis of similar campaigns.