China-linked spies named 'GopherWhisper' targeted Mongolian government using Slack, Discord, and Outlook drafts as their command channel

ESET disclosed GopherWhisper, a previously undocumented China-linked spy group active since at least November 2023 and targeting Mongolian government systems. The group's defining trick: instead of building its own command-and-control servers, it sends instructions through ordinary cloud services - private Slack channels, Discord servers, Outlook draft email folders, and the file.io file-sharing service. Because the malware traffic looks like normal Slack and Discord usage, network monitoring tools largely ignore it. ESET extracted thousands of operator messages from the attackers' own Slack and Discord workspaces, and even found a 'How to write RATs.txt' file in their Downloads folder.

Check

Audit which corporate endpoints have outbound access to slack.com, discord.com, graph.microsoft.com, and file.io without a clear business reason.

Affected

Organizations with operations in Mongolia or staff working on Indo-Pacific affairs. More broadly: any environment where outbound HTTPS to Slack, Discord, Microsoft Graph, or file.io is allowed by default - which is most corporate networks. Build servers, jump hosts, and developer machines are at acute risk because they need outbound HTTPS but have no business reason to talk to Slack or Discord.

Fix

Restrict outbound HTTPS to Slack, Discord, and file.io to only endpoints with a documented business reason. Alert on outbound traffic to those services from servers and developer machines that shouldn't be using them. In Microsoft 365, audit OAuth grants and alert on draft email creation in unfamiliar mailboxes. Block file.io entirely if you have no use case. ESET's GitHub repo lists the indicators.