A Chinese Spy Group Hid Commands Inside Outlook Draft Emails—They Were Never Sent

The Draft Folder as a Weapon

Most email based attacks involve messages that get delivered: phishing links, malicious attachments, credential harvesting pages. GopherWhisper found a way to weaponize email without sending a single message. The group's custom backdoor, called BoxOfFriends, connects to Microsoft 365 through the Outlook mail REST API via Microsoft Graph and creates draft emails in a compromised Outlook account. Commands go into the drafts. Results come back as modifications to those same drafts. Nothing is ever sent, so email security filters and network monitoring tools that look for suspicious outbound messages see nothing unusual.

ESET researchers traced the Outlook account used for this purpose to July 11, 2024, just 11 days before the first malware was deployed on target systems. The attackers registered the account with hard coded credentials embedded directly in the BoxOfFriends binary, a rare slip that gave researchers a window into the operation.

Slack and Discord as Backup Channels

Outlook drafts were not the only communication channel. GopherWhisper operated at least two additional backdoors that used mainstream collaboration platforms. LaxGopher retrieved commands through private Slack channels, while RatGopher used Discord servers. Both are Go based tools that execute commands through the Windows command line and return results through the same platforms.

The use of legitimate cloud services for command and control is not new, but the breadth of GopherWhisper's approach is notable. By spreading operations across Outlook, Slack, and Discord simultaneously, the group ensures that blocking any single service does not sever their access to compromised networks.

ESET identified API tokens for all three services in the malware samples, and used them to access the attackers' own infrastructure. They recovered 6,044 Slack messages and 3,005 Discord messages documenting command and control activity. The timestamps clustered between 8 AM and 5 PM in the UTC+8 timezone, consistent with working hours in China.

The Full Toolkit

GopherWhisper's arsenal includes six primary components, most written in Go:

• LaxGopher: the primary backdoor, receiving commands via Slack
• RatGopher: a Discord based backdoor for redundant access
• BoxOfFriends: the Outlook draft email C2 backdoor
• CompactGopher: compresses stolen files and exfiltrates them to the file.io sharing service
• FriendDelivery: a loader that deploys BoxOfFriends onto target systems
• SSLORDoor: a C++ backdoor using OpenSSL for encrypted communication

The variety of tools suggests a well resourced operation. Each backdoor provides a different communication channel, so losing one does not mean losing access. CompactGopher handles the final step: compressing whatever the attackers want to steal and uploading it to file.io, a legitimate file sharing service that automatically deletes files after a set period.

Who Was Targeted

ESET's telemetry confirmed that GopherWhisper compromised 12 systems within a Mongolian government institution. The specific entity was not named, but Mongolia's position between Russia and China makes its government agencies a natural target for Chinese intelligence collection. Beyond the confirmed Mongolian victim, ESET estimates dozens of additional organizations may be affected based on the volume of command and control traffic observed across the attacker controlled Slack and Discord channels.

The group has been active since at least 2023, with the earliest known infrastructure created in that year. The metadata in their tools contained the locale identifier "zh-CN," further supporting the China alignment assessment.

Why Email Infrastructure Is the Target

GopherWhisper's use of Outlook as a covert channel highlights a broader truth: email infrastructure is not just a target for phishing. It is increasingly being used as the command layer for espionage operations. When attackers control an Outlook account, they can read incoming mail, monitor calendar invitations, and exfiltrate attachments, all while using the drafts folder to issue commands that never touch the network perimeter.

This is not the first time state sponsored hackers have exploited email systems this way. Russia's APT28 recently exploited Roundcube email servers to read Ukraine's top anti corruption prosecutors' messages without requiring a single click. Both cases demonstrate that email platforms are not just delivery mechanisms for attacks but are themselves the infrastructure through which attacks are orchestrated.

For anyone who relies on cloud email for sensitive communications, the implication is clear: the security of your inbox depends not just on whether you click suspicious links, but on whether your email provider can detect when its own APIs are being used as a covert channel by someone who already has valid credentials.

How Organizations Can Respond

• Audit Microsoft Graph API access logs for unusual patterns: draft creation without corresponding sends is a red flag
• Monitor for Go binaries with embedded API tokens for Slack, Discord, or Microsoft services
• Restrict Microsoft 365 API access to approved applications through conditional access policies
• Review Slack and Discord webhook configurations in your environment, as these are increasingly used for data exfiltration
• Implement email activity anomaly detection that flags accounts with high draft creation but low send volume