China Hackers Using Discord, Microsoft Graph to Target European Governments
DefenseCybersecurity

China Hackers Using Discord, Microsoft Graph to Target European Governments

The Stack (TheStack.technology)
The Stack (TheStack.technology)May 20, 2026

Companies Mentioned

Microsoft

Microsoft

MSFT

Why It Matters

The exploitation of widely trusted collaboration tools gives attackers a stealthy foothold in critical government networks, raising the stakes for EU cyber‑defense and prompting urgent policy and security reforms.

Key Takeaways

  • Webworm leverages Discord for command‑and‑control communications
  • Attackers abuse Microsoft Graph API to harvest user data
  • Campaign now includes EU member states and South Africa
  • Threat actors focus on diplomatic and defense ministries
  • EU cybersecurity agencies urged to tighten cloud service monitoring

Pulse Analysis

The discovery that a Chinese state‑linked group is exploiting Discord and Microsoft’s Graph API marks a new chapter in cyber‑espionage. While Discord is traditionally a gaming chat platform, its real‑time messaging and low‑cost infrastructure make it attractive for covert command‑and‑control (C2) traffic. Microsoft Graph, the API that stitches together Office 365 data, offers attackers a legitimate channel to enumerate users, extract emails, and move laterally within cloud environments. By piggybacking on these widely trusted services, the actors evade traditional network‑perimeter defenses and blend into normal traffic.

The group, known as Webworm, has stepped beyond its original European foothold to probe ministries across the European Union and South Africa. Intelligence reports show that compromised accounts are used to infiltrate diplomatic, defense and intelligence agencies, where the stolen data can inform Beijing’s geopolitical calculations. Researchers traced malicious payloads to Discord servers that relay commands, while the Graph API abuse enables bulk harvesting of contacts and calendar entries. This dual‑vector approach shortens the dwell time of intruders and complicates attribution, as the same infrastructure can serve multiple campaigns simultaneously.

European cybersecurity agencies are now urging tighter monitoring of SaaS usage and stricter token‑management policies for Microsoft Graph. Organizations should treat Discord traffic as potentially malicious, enforce multi‑factor authentication, and segment privileged accounts from internet‑facing services. The episode underscores a growing pattern where nation‑state actors weaponize legitimate cloud tools to bypass perimeter defenses, a shift that will likely drive new regulations around supply‑chain risk and cloud‑service transparency. Companies that proactively audit third‑party API permissions will be better positioned to detect anomalous activity before sensitive information is exfiltrated.

China hackers using Discord, Microsoft Graph to target European governments

Read Original Article

Comments

Want to join the conversation?

Loading comments...