Operation GopherWhisper: How Hackers Turned Discord into a Spy Machine
Subtitle: A clandestine Chinese APT group exploited trusted platforms like Discord, Slack, and Outlook to orchestrate a sophisticated cyber-espionage campaign, evading detection in plain sight.
When government security teams reviewed their network logs in early 2025, few expected that the friendly chatter on Discord and the humdrum of Outlook drafts concealed a high-stakes espionage campaign. But beneath the surface, a newly discovered group-GopherWhisper-was burrowing deep into sensitive systems, weaponizing the very platforms organizations trust most.
GopherWhisper’s playbook reads like a masterclass in digital misdirection. Instead of relying on suspicious, easily blacklisted servers, the group funneled their operations through everyday platforms-Discord channels, Slack workspaces, and even Outlook email drafts. This allowed their malicious traffic to blend seamlessly into routine business activity, frustrating defenders and rendering traditional security tools nearly blind.
The group’s arsenal included seven distinct malware tools, four of which were backdoors with evocative names like LaxGopher, RatGopher, and BoxOfFriends-most crafted in Go, a language favored for its speed and cross-platform capabilities. Their modular approach meant different tools handled infection, code injection, data exfiltration, and communication, each playing a specialized role in the digital heist.
What set GopherWhisper apart wasn’t just technical prowess, but operational savvy. ESET investigators, led by Eric Howard, infiltrated the attackers’ own Slack and Discord servers-uncovering not only the mechanics of the espionage, but also the group’s work rhythms, which aligned with typical Chinese office hours. Metadata and messaging patterns further cemented the group’s Chinese origins.
Perhaps most alarming: the attackers didn’t bother erasing their logs. This carelessness granted ESET an unprecedented window into the group’s inner workings-how they tested backdoors, rolled out updates, and coordinated attacks on at least one Chinese government entity, with dozens of other unknown victims likely swept up worldwide.
GopherWhisper’s use of Microsoft Graph API for covert communication, and file.io for data theft, demonstrates a chilling trend: as organizations embrace cloud-based, collaborative platforms, attackers are racing to exploit their legitimacy. Security teams must now scrutinize traffic once considered “safe by default,” rethinking anomaly detection in an era where trust is the weakest link.
As the dust settles, the GopherWhisper saga stands as a stark warning: in the hands of skilled adversaries, even the most benign-seeming platforms can become instruments of espionage. For defenders, the lesson is clear-assume nothing is above suspicion, and vigilance must extend to every corner of the digital workplace.
WIKICROOK
- APT (Advanced Persistent Threat): An Advanced Persistent Threat (APT) is a long-term, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
- Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
- Command and Control (C&C): Command and Control (C&C) servers let attackers remotely control infected devices, send instructions, and collect stolen data from compromised systems.
- Go (Golang): Go (Golang) is a modern programming language known for efficiency and is increasingly used by cybercriminals to create hard-to-detect malware.
- Microsoft Graph API: Microsoft Graph API is a modern interface that lets apps securely connect to and manage data across Microsoft 365 cloud services.




