China's Webworm Uses Discord, Microsoft Graphs to Hack EU Governments

Webworm’s geographic shift underscores a broader trend of Chinese‑aligned threat actors refocusing on high‑value European assets. After years of exploiting well‑known malware families, the group now relies on legitimate‑looking services—Discord and Microsoft Graph—to hide command‑and‑control traffic amid everyday corporate communications. This evolution mirrors recent campaigns that have weaponized cloud‑based collaboration tools, complicating traditional network‑based detection and forcing defenders to incorporate application‑layer analytics.

Technically, EchoCreep embeds malicious payloads within Discord messages, using the platform’s API to upload files, relay runtime reports, and receive commands. Each victim operates on a distinct Discord server, limiting cross‑victim correlation. GraphWorm, by contrast, taps OneDrive endpoints via the Microsoft Graph API, pulling job files and exfiltrating data through seemingly benign cloud storage calls. Both backdoors sit behind a sophisticated proxy infrastructure that includes SoftEther VPN, WormFrp, and custom tunneling tools, all hosted on cloud providers like Vultr. This layered approach encrypts traffic, masks attacker IPs, and creates a resilient “hidden network” that can persist even if a single proxy is taken down.

For security teams, the key takeaway is to broaden monitoring beyond traditional ports and signatures. Continuous patch management, reduction of exposed attack surfaces, and strict egress filtering for services such as Discord, Microsoft Graph, and Amazon S3 are essential. Behavioral analytics that flag abnormal file transfers or API calls to these platforms can provide early warning of a Webworm intrusion. As state‑sponsored espionage groups continue to weaponize everyday SaaS tools, organizations must adopt a zero‑trust mindset that scrutinizes every outbound connection, regardless of its perceived legitimacy.