ESET Research discovers new China-aligned group, GopherWhisper: It abuses messaging services Discord, Slack, and Outlook to spy

GlobeNewswire | ESET
Today at 9:00am UTC
  • ESET Research has uncovered a new China-aligned APT group, which has been named GopherWhisper, that targets governmental institutions in Mongolia.
  • GopherWhisper leverages Discord, Slack, Microsoft 365 Outlook, and file.io for command and control (C&C) communications and exfiltration.
  • The group’s toolset includes custom Go-based backdoors, injectors, exfiltration tools, loader FriendDelivery, and a C++ backdoor.
  • ESET analyzed C&C traffic from the attacker’s Slack and Discord channels, gaining information about the group’s internal operations and post-compromise activities.

BRATISLAVA, Slovakia, April 23, 2026 (GLOBE NEWSWIRE) -- ESET researchers have discovered a previously undocumented China-aligned APT group that they named GopherWhisper. The group wields a wide array of tools, mostly written in Go, that use injectors and loaders to deploy and execute various backdoors in its arsenal. In the observed campaign, the threat actors targeted a governmental institution in Mongolia. GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io, for command and control (C&C) communication and exfiltration.

ESET discovered the group in January 2025, when it found a previously undocumented backdoor, which ESET researchers named LaxGopher, in the system of a government institution in Mongolia. Digging deeper, they managed to uncover several more malicious tools, mainly various additional backdoors, all deployed by the same group. The majority of these tools were written in Go, and their collective aim was cyberespionage.

According to ESET telemetry, the victim impacted by GopherWhisper backdoors is a Mongolian governmental institution. By analyzing the C&C traffic from the attacker-operated Discord and Slack servers, ESET estimates that dozens of other victims besides the Mongolian institution were also affected, though it has no information about their geolocation or verticals.

Of the seven tools that were discovered, four are backdoors — LaxGopher, RatGopher, and BoxOfFriends, written in Go, and SSLORDoor, written in C++. Furthermore, ESET found an injector (JabGopher), a Go-based exfiltration tool (CompactGopher), and a malicious DLL file (FriendDelivery).

Since the set of malware ESET found bore no code similarities to any known threat actor’s tools, and there was also no overlap in the Tactics, Techniques, and Procedures (TTPs) used by any other group, ESET decided to attribute the tools to a new group. Researchers chose to name that group GopherWhisper due to the majority of the group’s tools’ being written in the Go programming language, which has a gopher as its mascot, and based on the filename of whisper.dll, which is side-loaded.

GopherWhisper is characterized by the extensive use of legitimate services such as Slack, Discord, and Outlook for C&C communication. “During our investigation, we managed to extract thousands of Slack and Discord messages, as well as several draft email messages from Microsoft Outlook. This gave us great insight into the inner workings of the group,” says ESET researcher Eric Howard, who discovered the new threat group.

“Timestamp inspection of the Slack and Discord messages showed us that the bulk of them were being sent during working hours, i.e. between 8 a.m. and 5 p.m., which aligns with China Standard Time. Furthermore, the locale for the configured user in Slack metadata was also set to this time zone. We therefore believe that GopherWhisper is a China-aligned group,” explains Howard.

Based on this ESET investigation, the group’s Slack and Discord servers were first used to test the functionality of the backdoors, and then later, without clearing the logs, also used as C&C servers for the LaxGopher and RatGopher backdoors on multiple compromised machines. In addition to the Slack and Discord communications, ESET researchers were also able to extract email messages used for communication between the BoxOfFriends backdoor and its C&C using the Microsoft Graph API.

ESET Research’s Eric Howard presented these findings at Botconf 2026 conference.

For a more detailed analysis of the new GopherWhisper threat group and its arsenal, check out the latest ESET Research blogpost and white paper “GopherWhisper: A burrow full of malware” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

About ESET

ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com, or follow our social media, podcasts, and blogs.


Media contact:
Jessica Beffa
jessica.beffa@eset.com
720-413-4938

Primary Logo