living-off-the-cloud - TrustStrike Labs

threat

2026-04-23

New Linux variant of GoGra backdoor uses Microsoft Graph API for stealth C2 - blends in with legitimate Office 365 traffic

Security Affairs covered new research on April 23 documenting a Linux port of the GoGra backdoor, originally seen as Windows-only. The Linux variant retains GoGra's defining feature: it uses Microsoft Graph API as its command-and-control channel, fetching commands from Outlook drafts in an attacker-controlled Microsoft 365 tenant and writing results back to the same drafts. Because the C2 traffic is HTTPS to graph.microsoft.com - the same endpoint legitimate clients hit constantly - it is invisible to most network-layer detections. The Linux port targets enterprise Linux servers with Outbound 443 access to Microsoft cloud services, broadening reach onto build servers and jump hosts.

gogra linux microsoft-graph backdoor living-off-the-cloud outlook-drafts c2 stealth

Check: Audit which Linux servers in your environment have outbound HTTPS access to graph.microsoft.com and restrict it to hosts with a documented Microsoft 365 use case.
Affected: Linux servers with outbound HTTPS access to graph.microsoft.com - in most enterprise networks that means almost all of them, since egress filters routinely allow the entire Microsoft 365 endpoint range by default. Build servers, jump hosts, developer workstations, and DMZ services with Linux are the highest-value targets because they often hold credentials and source code.
Fix: Restrict graph.microsoft.com egress to only hosts that genuinely need it (mail relays, M365 integrations). On all other Linux hosts, log and alert on outbound graph.microsoft.com connections. In your M365 tenant, enable audit logging for application registrations and OAuth grants and alert on tokens used from unfamiliar IPs. Rotate credentials for any Linux server that had unsanctioned graph.microsoft.com traffic.

threat

2026-04-23

China-linked spies named 'GopherWhisper' targeted Mongolian government using Slack, Discord, and Outlook drafts as their command channel

ESET disclosed GopherWhisper, a previously undocumented China-linked spy group active since at least November 2023 and targeting Mongolian government systems. The group's defining trick: instead of building its own command-and-control servers, it sends instructions through ordinary cloud services - private Slack channels, Discord servers, Outlook draft email folders, and the file.io file-sharing service. Because the malware traffic looks like normal Slack and Discord usage, network monitoring tools largely ignore it. ESET extracted thousands of operator messages from the attackers' own Slack and Discord workspaces, and even found a 'How to write RATs.txt' file in their Downloads folder.

gopherwhisper china-apt mongolia slack discord outlook-drafts cloud-c2 living-off-the-cloud file-io eset

Check: Audit which corporate endpoints have outbound access to slack.com, discord.com, graph.microsoft.com, and file.io without a clear business reason.
Affected: Organizations with operations in Mongolia or staff working on Indo-Pacific affairs. More broadly: any environment where outbound HTTPS to Slack, Discord, Microsoft Graph, or file.io is allowed by default - which is most corporate networks. Build servers, jump hosts, and developer machines are at acute risk because they need outbound HTTPS but have no business reason to talk to Slack or Discord.
Fix: Restrict outbound HTTPS to Slack, Discord, and file.io to only endpoints with a documented business reason. Alert on outbound traffic to those services from servers and developer machines that shouldn't be using them. In Microsoft 365, audit OAuth grants and alert on draft email creation in unfamiliar mailboxes. Block file.io entirely if you have no use case. ESET's GitHub repo lists the indicators.