Chinese APT Group Abuses Multiple Cloud Tools to Conduct Cyber Espionage Against Mongolia

Multiple Cloud Tools Weaponized for Espionage

Cybersecurity researchers have recently disclosed an advanced persistent threat (APT) campaign targeting Mongolia. According to the report, a China-linked threat actor has skillfully "weaponized" several mainstream cloud service tools, leveraging Microsoft Outlook, Slack, Discord, and file.io to build a multi-layered command-and-control (C2) infrastructure to support its cyber espionage operations.

The core strategy behind this approach is to provide the attackers with abundant C2 communication options — even if one channel is identified and blocked by security teams, they can maintain persistent control over target systems through alternative channels.

Abusing Legitimate Cloud Platforms to Evade Detection

The APT group's tactics demonstrate a high degree of technical sophistication. All four tools abused by the attackers are legitimate commercial services widely used across the globe:

• Microsoft Outlook: Utilizing its email API as the primary C2 communication channel, with commands hidden within normal email traffic, making them extremely difficult for traditional security appliances to detect
• Slack: Leveraging the enterprise collaboration platform's API to transmit exfiltrated data and receive remote commands
• Discord: Using Webhook or Bot mechanisms to distribute attack payloads and relay status updates
• file.io: Exploiting the temporary file-sharing service for data exfiltration, with files automatically deleted after download, effectively eliminating forensic traces

This "Living-off-Trusted-Sites" (LOTS) strategy has become a common tactic among advanced threat groups in recent years. Since these cloud platforms are essential tools for daily enterprise operations, their network traffic is typically whitelisted by default in security policies, allowing the attackers' malicious communications to blend seamlessly into legitimate business traffic.

Multi-Channel Redundancy Design Enhances Attack Resilience

Security experts note that the most notable feature of this campaign is the "redundancy design" of its C2 architecture. Traditional APT operations typically rely on a single or limited number of C2 servers, risking the collapse of the entire attack chain once discovered. In this campaign, however, the threat actor simultaneously deployed four different cloud services as backup channels, a strategy that delivers multiple advantages:

First, it significantly enhances the persistence of the operation. Even if security teams successfully block one channel, the attackers can seamlessly switch to other platforms to continue their activities. Second, it increases the difficulty of tracing and attribution. Fragments of malicious activity scattered across multiple legitimate platforms make it challenging for security analysts to piece together the full picture of the attack. Third, it reduces the probability of anomalous traffic on any single platform triggering alerts, as malicious communications are distributed across multiple channels.

A Wake-Up Call for Cloud Security Defense

This incident once again highlights the deep-seated challenges facing the cloud security landscape. As AI technology advances rapidly, the growing variety of cloud collaboration tools and API interfaces continues to expand the "legitimate cover" available to attackers.

For enterprise security teams, traditional defense approaches based on blacklists and signature detection are no longer sufficient to counter such threats. The future demands greater reliance on AI-driven behavioral analysis technologies to perform deep modeling of cloud service API call patterns and data transfer behaviors, identifying anomalous patterns hidden within normal traffic.

At the same time, this incident serves as a reminder for major cloud service providers to further strengthen API security auditing and abuse detection mechanisms, building proactive defense capabilities against APT-level threats while maintaining a smooth user experience.

Outlook

As geopolitical tensions persist, the technical methods employed in state-sponsored cyber espionage will continue to evolve. More advanced tactics — such as using AI to automatically generate attack payloads and dynamically switch C2 channels — may become a reality in the near future. The security industry urgently needs to increase investment in AI-powered defensive capabilities to address the increasingly complex APT threat landscape.