Unwary Chinese Hackers Hardcoded Credentials into Backdoors

Unwary Chinese Hackers Hardcoded Credentials into Backdoors Eset Researchers Discover Trove of Go-Based Malware Tiffany Wang • April 23, 2026     Credit Eligible Get Permission Most of the backdoors discovered by Eset researchers were coded in the Go progrmming language. Image: Shutterstock Researchers were able to track a previously undetected but apparently very careless Chinese nation-state threat actor after discovering that hackers hard coded command and control credentials into backdoors. See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready? The hacking group, dubbed GopherWhisper by Eset, used Slack, Discord and Microsoft Office accounts to control several backdoors written in the Go programming language. The cybersecurity firm found the tools while investigating an infection in an undisclosed Mongolia government agency in a campaign that started roughly in August 2024. The same Slack and Discord servers used as command and control were among the first machines to receive infections, as tests. But, the hackers forgot to clear the logs. As a result, "we were able to obtain not only information about the attackers’ post-compromise activities, but also about the attackers’ environment, as they uploaded files from their testing systems during the testing phase," Eset wrote. While probing a hacker Discord channel, researchers found source code for one of the custom backdoors dubbed RatGopher. They were also able to uncover GitHub repositories containing code for another backdoor, LaxGopher. Eset seized on the gopher mascot of the Go programming language to bestow names on the malware. The hackers likely used Slack and Discord for command and control "to blend malicious communications into trusted, high-volume legitimate network traffic to remain under the radar,” said Eset malware researcher Eric Howard. The threat actor also used Microsoft Office for command and control and file.io for data exfiltration. From Volt Typhoon to Brickstorm, Chinese cyberespionage groups have swept over governments and critical infrastructure operators with stealthy and durable campaigns. GopherWhisper resembles those traits but bears no similarity in code, tactics, techniques, and procedures or targeting to any known Chinese threat actor, Eset said. Chinese threat actors are typically known to swap tools and know-how in hacking scene dominated by intersecting private contractors and businesses, whose leaders who turned an interest in "patriotic hacking" in the late 1990s and early 2000s into a career breaking into foreign networks (see: Chinese Hackers' Evolution From Vandals to Strategists). But, researchers said they are certain about the Chinese provenance of the threat actor. Hackers set their locate in Slack metadata to zh-CN to denote China and, based on their messaging patterns, worked during normal Chinese time zone business hours. The plethora of messages - researchers recovered more than 9,000 of them - showed an operator using a virtual machine based on VMware, and that the machine had been booted and installed during the Chinese working day. One backdoor, called RatGopher, published Hello, everyone!nI'm coming! to a Discord channel after initialization. Another backdoor - this one dubbed BoxOfFriends, despite it also being written in Go - created a new draft email in Microsoft Outlook as a way of notifying operators that it was ready. Different emails in the address field signified different commands. Seth912@outlook.com sent heartbeat intervals, while Jared962@outlook.com was used to break down large files into manageable chunks for exfiltration. A list of indicators of compromise and GopherWhisper samples can be found on the Eset GitHub repository.