ESET researchers from Slovakia’s international internet security software company have discovered a new advanced persistent threat (APT) related to the Chinese Communist Party – GopherWhisper. This APT utilizes legitimate servers such as Discord, Slack, Microsoft 365 Outlook, and file.io for command and control (C&C) communication and data theft.
According to the researchers, this APT has been active since at least November 2023. By examining chat logs and email timestamps, it was found that the hacker organization operates within China.
The APT, previously undisclosed and unrecorded, is equipped with multiple malicious tools, mostly written in Go language. These tools use injectors and loaders to deploy and execute various backdoors from the toolkit for conducting espionage activities across networks.
In January 2025, researchers discovered an unidentified backdoor in a government agency system in Mongolia, naming it LaxGopher. Further investigation revealed more malicious tools. LaxGopher backdoor utilizes Slack for C&C communication, executing commands via command line, stealing victim data, and fetching and executing other payloads on infected machines.
By analyzing the C&C communication traffic of Discord and Slack servers operated by attackers, ESET estimates that aside from the Mongolian government agency, potentially dozens of other institutions have also become targets of the attack.
Among the seven tools discovered, four are backdoor programs: LaxGopher, RatGopher, and BoxOfFriends written in Go language, and SSLORDoor written in C++. Additionally, ESET identified an injector (JabGopher), a data theft tool based on Go language (CompactGopher), and a malicious DLL file (FriendDelivery).
Due to the lack of resemblance in code with any known threat actor tools to date and the non-overlapping tactics, techniques, and procedures (TTP) used, ESET has classified this malware into a new category.
ESET researcher Eric Howard, who discovered GopherWhisper, disclosed that during the investigation, researchers successfully extracted thousands of Slack and Discord messages, as well as some Microsoft Outlook email drafts, providing deeper insights into their operations.
Howard explained that after checking the timestamps of Slack and Discord messages, it was found that most messages were sent during working hours between 8 a.m. and 5 p.m., aligning with China Standard Time. Furthermore, user regions configured in Slack metadata were set to the Chinese time zone, leading the team to conclude the association of GopherWhisper with the Chinese Communist Party.
ESET’s investigation also revealed that the organization’s Slack and Discord servers were initially used for testing backdoor functionalities and later repurposed without clearing logs as C&C servers for LaxGopher and RatGopher backdoors on multiple infected machines. Apart from Slack and Discord communication records, researchers also utilized the Microsoft Graph API to extract emails between the BoxOfFriends backdoor and its C&C server.