China-aligned hackers exposed after leaving Slack and Discord logs intact during Mongolia espionage campaign

A China-aligned hacking group ran an espionage operation against a Mongolian government target through Discord and Slack, the same workplace tools used by millions of enterprises every day, then failed to clear the logs and handed investigators an unusually detailed view of its inner workings.

Cybersecurity firm ESET disclosed the campaign on Wednesday, attributing it to a previously undocumented state-aligned threat group it has named GopherWhisper. Researchers recovered thousands of Slack and Discord messages along with a cache of draft emails from Microsoft Outlook, all belonging to the attackers rather than the victim, in what amounts to one of the more granular glimpses into a live nation-state operation in recent memory.

The known victim is a governmental institution in Mongolia, where ESET first found an unfamiliar backdoor in January 2025. Analysis of the attacker-operated command-and-control servers suggests the campaign reaches considerably further. "By analysing the C&C traffic from the attacker-operated Discord and Slack servers, ESET estimates that dozens of other victims besides the Mongolian institution were also affected, though it has no information about their geolocation or verticals," the company said in its disclosure.

What distinguishes GopherWhisper is not its malware but its infrastructure. The group routed command-and-control traffic through Discord, Slack, Microsoft 365 Outlook, and the file-sharing service file.io, all platforms embedded within the trust boundary of most modern organisations. Discord and Slack carried operator communications and beacon traffic. Outlook handled communications for one backdoor through draft emails that were never sent, exchanged via the Microsoft Graph API. File.io handled exfiltration. The traffic does not register as anomalous on a network monitoring dashboard, because it looks like work.

ESET researcher Eric Howard, who led the investigation, said the recovered communications gave the team rare visibility into how the group operates. "During our investigation, we managed to extract thousands of Slack and Discord messages, as well as several draft email messages from Microsoft Outlook. This gave us great insight into the inner workings of the group," he said.

That visibility was made possible by an operational lapse. The attackers first used their Slack and Discord servers as test environments to vet their backdoors, then promoted the same servers to live C&C duty without wiping the development history. The chronological record left behind included tooling decisions, debugging exchanges, and post-compromise activity across multiple victim machines.

Metadata in those messages also allowed ESET to assess attribution. "Timestamp inspection of the Slack and Discord messages showed us that the bulk of them were being sent during working hours, i.e. between 8 a.m. and 5 p.m., which aligns with China Standard Time. Furthermore, the locale for the configured user in Slack metadata was also set to this time zone. We therefore believe that GopherWhisper is a China-aligned group," Howard said. ESET has not attributed the activity to a specific Chinese state entity.

The group's toolset comprises seven custom-built tools, most of which are written in the Go programming language. Four are backdoors: LaxGopher, RatGopher, and BoxOfFriends, all written in Go, and SSLORDoor, written in C++. The remaining three are an injector named JabGopher, a Go-based exfiltration tool called CompactGopher, and a malicious DLL designated FriendDelivery. None of the tools shared code with any known threat actor's arsenal, and none of the group's tactics, techniques, and procedures matched established patterns, which is why ESET designated GopherWhisper a new group rather than tying it to an existing one. The name draws on the gopher mascot of the Go language and on whisper.dll, a side-loaded file uncovered during the investigation.

Mongolia's position between China and Russia has made it a recurring target for state-aligned cyber operators, and GopherWhisper adds to an established pattern of regional intelligence collection. The wider concern for defenders is the choice of carrier. Discord, Slack, and Microsoft 365 are the default fabric of modern enterprise communication, which is precisely the property GopherWhisper exploited. As long as malicious traffic can be disguised as a developer pasting into a channel or a colleague saving an email draft, the perimeter most organisations believe they are defending sits in the wrong place.