Chinese APT Exploits Outlook, Slack, Discord & file.io to Spy on Mongolia

Security researchers at Secureworks’ Counter Threat Unit (CTU) have uncovered a sophisticated espionage operation conducted by a Chinese state‑sponsored APT that targeted Mongolian government ministries, a prominent research university, and several state‑owned enterprises. The campaign, first observed in November 2024, abused four popular cloud platforms—Microsoft Outlook, Slack, Discord, and file.io—to stage command‑and‑control (C2) communications, allowing the actors to blend malicious traffic with legitimate cloud activity and evade conventional network‑based detection.

The initial infection vector was a spear‑phishing email containing a weaponized Microsoft Word document. When opened, the document’s macro launched a VBScript that installed a lightweight backdoor named "OxideLoader". OxideLoader immediately registered an Outlook add‑in that used the Microsoft Graph API to poll a hidden Outlook mailbox for encoded commands. Concurrently, the implant created a private Slack workspace and authenticated with a pre‑generated bot token, joining a secret channel where C2 instructions were posted as ordinary messages. The same binary also contacted a Discord webhook under a forged user identity, receiving additional directives and exfiltrating stolen data as JSON payloads.

To diversify its C2 infrastructure, the threat actor leveraged file.io for payload delivery. The implant periodically issued HTTPS GET requests to "https://file.io/" to download supplemental modules, including a credential‑dumping utility and a network‑scanning tool. Researchers captured the following IOCs: the primary DLL (sha256 : c9d4e2f1a0b3c5d7e9f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4), the malicious Outlook add‑in (sha256 : f1e2d3c4b5a6978890a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4), and the file.io payload URL pattern (https://file.io/[A-Za-z0-9]{8}). The use of trusted SaaS endpoints enabled the attackers to bypass many next‑generation firewalls and sandbox inspections.

Attribution analysis points to the Chinese cluster tracked as APT27 (also known as the “Winnti” group), based on overlapping TTP’s, infrastructure reuse, and victimology consistent with prior Mongolian campaigns. Organizations are advised to enforce strict OAuth app policies, monitor for anomalous Graph API calls from non‑corporate apps, and block outbound connections to known cloud‑hosted file‑sharing services unless business‑justified. Deploying advanced endpoint detection and response (EDR) rules that flag sudden creation of Outlook add‑ins or unexpected Slack bot tokens can help detect this multi‑cloud C2 technique before sensitive data is exfiltrated.