GopherWhisper: espionage in Mongolia from legitimate platforms such as Slack, Discord and Microsoft Graphh

A new persistent actor aligned with China, to which the Slovak firm ESET has baptized as GopherWhisper, has focused on government institutions in Mongolia using a set of tools that have not been published so far and techniques that make traditional detection difficult. The important thing is not just the malware catalog - several components developed in Go and a backdoor in C + + - but the strategy: operators abuse legitimate services such as Slack, Discord and Microsoft 365 for their command and exfiltration channels, and use public file exchange services to extract data, which complicates simple attributes and blockages.

According to the research shared by ESET, the initial discovery occurred after identifying a new backdoor in a government system in January 2025, and the subsequent telemetry showed a direct infection in about a dozen teams with indications of many other victims connected to Slack and Discord servers controlled by the attackers. The components detected (with names such as LaxGopher, RatGopher, CompactGopher, SSLORDoor, BoxOffFriends, FriendDelivery and JabGopher) show a modular architecture: Go engines for communication and file collection, a C + + backdoor for remote control and modules that act as loaders / injectors. This modularity makes it easier for the group to adapt its tools to specific objectives and change tactics quickly.

From the operational point of view, there are two aspects that deserve special attention: first, the abuse of business platforms and messaging for C2 and exfiltration; second, the use of cryptographic schemes and compression to hide stolen data volumes. The attackers create or compromise Outlook accounts to use Microsoft Graphh API as a covert channel, use private Discord channels and Slack messages to give orders, and upload compressed and encrypted files to public services to get them out of the victim network. The time pattern of activity observed by researchers, with more traffic in the working hours of China Standard Time, adds a tactical and geographical element that helps contextualize the attribution.

The political and security implications are clear: targeting government entities in Mongolia aims at strategic espionage (political, defence, natural resources and diplomacy) and sustained intelligence collection. For organizations and administrations, the case shows that relying only on rules that block traditional malware is no longer enough; attackers take advantage of legitimate tools and services that, by design, usually have allowed access and confidence-based encrypted channels.

In terms of detection and response, the immediate recommendation is to raise visibility on channels that often remain out of the reach of SIEMs or EDRs: monitor the use of collaborative APIs (e.g. Microsoft Graph), the patterns of creating erasers or sending emails from unusual accounts, and massive or recurrent uploads to external file exchange services. It is also critical to review Slack / Discord logs for automated activity or programmed messages and correlate with endpoints activity. ESET and specialized media have covered this case; it is useful to follow the public analysis and IOCs that researchers share in their research channels ( ESET Research, The Hacker News).

From the identity and access layer, there are concrete actions that reduce exposure: multifactor authentication strong and conditional access mechanisms in privileged identities, limit and audit permits given to applications using Microsoft Graphh or third party integrations, and rotate credentials and service keys with approval control. Microsoft publishes documentation on the GraphAPI that can help teams understand their legitimate use and how to monitor it ( Microsoft Graphdocumentation).

In the network and in endpoints it is appropriate to implement and refine egress controls: block or inspect connections to known private file exchange services and messaging infrastructure other than for corporate use, establish white lists for critical applications, and deploy behavioral detection capabilities that identify atypical executions of cmd.exe, injection into processes or binary compiled in Go that make unusual connections. In addition, network fragmentation and segmentation of sensitive assets limit lateral movement even if a first intrusion is achieved.

For response and intelligence equipment, it is recommended to preserve and analyse artifacts (memory, binary, collaborative application log), share indicators with the national CSIRT and security providers, and consider a comprehensive review of accounts created in cloud services or corporate email that have not been explicitly authorized. If there is a suspicion of commitment, activate containment procedures: isolation of affected systems, forensic collection and revocation of committed credentials. International cooperation and information exchange with organizations such as national CERT and intelligence partners increase the capacity to mitigate transnational campaigns.

Finally, this incident highlights a permanent lesson: attackers will prefer routes that mix social engineering, abuse of legitimate services and code difficult to analyze (like Go). Effective defence requires a combination of technical controls, monitoring of collaborative platforms, identity governance and an organizational culture that prioritizes cyberhygiene and rapid response. To be informed with technical analysis and public alerts, and to implement the basic recommendations of segmentation, authentication and monitoring, significantly reduces the risk that similar campaigns will achieve objectives of espionage or information theft.