China-linked hackers targeted Mongolian government using Slack, Discord for covert communications

A previously undocumented China-aligned threat actor targeted a Mongolian government entity and used popular communication platforms such as Discord, Slack and Microsoft 365 Outlook to manage its operations and steal data, researchers have found.

The group, which researchers at cybersecurity firm ESET named GopherWhisper, has been active since at least November 2023 and was discovered in January 2025 after investigators found a previously unknown backdoor on the network of a Mongolian government institution.

The malware, dubbed LaxGopher, was deployed on roughly a dozen systems belonging to the organization, the Slovak cybersecurity firm said in a report on Thursday. Researchers believe the campaign likely affected dozens of additional victims, though they have not identified their locations or sectors.

According to ESET, the hackers relied heavily on legitimate online services to conceal their activity, using Discord, Slack and Microsoft 365 Outlook to communicate with compromised machines and manage command-and-control infrastructure.

The group deployed a range of custom-built tools written largely in the Go programming language, including loaders, injectors and backdoors designed to maintain access to targeted systems.

Among the tools identified were RatGopher, BoxOfFriends, the injector JabGopher, the loader FriendDelivery and a backdoor known as SSLORDoor, researchers said.

To remove stolen information from compromised networks, the attackers used a dedicated data exfiltration tool called CompactGopher, which compressed files and uploaded them to the file-sharing service File.io.

ESET said the operation appears consistent with cyber espionage activity, though it did not attribute the campaign to a specific entity.