Researchers recovered more than 9,000 messages that betrayed the attackers’ own testing systems and operational habits — a mistake that let investigators trace a previously undetected Chinese nation-state actor to a suite of Go-based backdoors.
GopherWhisper: Chinese provenance and operational cadence
Security firm Eset has named the threat actor GopherWhisper and concluded the group is of Chinese provenance. The assessment rests on metadata and activity patterns: the attackers set their locale in Slack metadata to zh-CN and “based on their messaging patterns, worked during normal Chinese time zone business hours,” Eset reported. The campaign began roughly in August 2024 and was discovered after an infection at an undisclosed Mongolia government agency.
RatGopher, LaxGopher and BoxOfFriends — three Go backdoors
Eset’s investigation found multiple custom backdoors written in the Go programming language. One, dubbed RatGopher, was found as source code in a Discord channel; another, LaxGopher, was linked to GitHub repositories recovered by researchers. A third tool, BoxOfFriends, also written in Go, used Microsoft Outlook as part of its command-and-control signaling.
Eset explained its naming choice by noting the use of Go: the company “seized on the gopher mascot of the Go programming language to bestow names on the malware.”
Operational sloppiness: hardcoded credentials, exposed logs, and test systems
GopherWhisper’s most consequential errors were operational. The group used Slack and Discord servers as command-and-control (C2) infrastructure and then reused those same servers as early test targets. The attackers “forgot to clear the logs,” allowing investigators to obtain both post‑compromise activity and files uploaded from the attackers’ own testing systems, Eset said.
Researchers observed an operator running a VMware virtual machine that had been booted and installed during the Chinese working day. One backdoor published a message to a Discord channel on initialization — “Hello, everyone!nI'm coming!” — a literal announcement from the malware that tied code behavior to the attacker-controlled channel logs.
Hide in plain sight: Slack, Discord, Microsoft Office and file.io as C2 and exfiltration channels
Eset highlighted the attackers’ use of trusted, high-volume services to blend malicious traffic into normal network flows. “The hackers likely used Slack and Discord for command and control ‘to blend malicious communications into trusted, high-volume legitimate network traffic to remain under the radar,’” said Eset malware researcher Eric Howard.
The threat actor also used Microsoft Office as a signaling mechanism: BoxOfFriends created a new draft email in Microsoft Outlook to notify operators that it was ready; differing addresses in the email’s address field corresponded to different commands. Eset reported that the address Seth912@outlook.com was used to send heartbeat intervals, while Jared962@outlook.com was used to break large files into chunks for exfiltration. For data exfiltration the group used file.io.
How technologists, policymakers, and affected enterprises should react
- Technologists and security teams: Review logs from collaboration platforms and client-side email drafts for anomalous activity tied to known addresses and channels; Eset’s probe shows that attackers can — and do — leave command-and-control artifacts in the same services defenders rely on. Indicators and samples are published by Eset on its GitHub repository for further analysis.
- Policymakers and regulators: Note that nation-state actors may adopt commodity cloud and collaboration services for stealthy C2; oversight and guidance for acceptable logging and monitoring practices in critical environments may need reviewing to detect such abuse.
- Affected enterprises and procurement leaders: Expect attackers to blend malicious traffic into legitimate, high-volume services and to repurpose those services for signaling; vetting of third-party collaboration tooling and its logging capabilities should be part of procurement risk assessments.
Eset emphasized that GopherWhisper “resembles” other persistent Chinese campaigns in stealth and durability — naming Volt Typhoon and Brickstorm as examples of the sweep over governments and critical infrastructure — but found no similarity in code, tactics, techniques, procedures, or targeting to any known Chinese threat actor. The operative lesson is concrete: poor operational security can reveal a nation-state actor’s tools and routines as effectively as a vulnerability in software.
Indicators of compromise and samples associated with GopherWhisper are available on Eset’s GitHub repository. Read Eset’s published findings at the original report: https://www.govinfosecurity.com/unwary-chinese-hackers-hardcoded-credentials-into-backdoors-a-31487
