China's Webworm Uses Discord, Microsoft Graphs to Hack EU Governments

A persistent threat actor aligned with China, known as Webworm, is actively targeting governmental entities across Europe, employing innovative command-and-control (C2) mechanisms.

Recently, security vendor ESET released findings that highlight the latest activities attributed to Webworm, an APT group which was initially reported in 2022. Although the group started its operations focusing on targets in Asia, it has recently redirected its efforts toward European governmental organizations located in Belgium, Italy, Serbia, Spain, and Poland, with additional activities reported in South Africa.

The research primarily examines Webworm's operational activities from early 2024 to early 2025 and explores the evolution of its tactics, techniques, and procedures (TTPs) since 2022. Initially, Webworm utilized well-known malware families such as McRat and Trochilus; however, there has been a noticeable shift towards the adoption of both established and bespoke proxy tools. Notably, in 2024, Webworm leveraged "legitimate or semi-legitimate tools, including SOCKS proxies (SoftEther VPN) and other networking solutions."

One of the limitations of commonly recognized malware is that it typically leaves identifiable signatures, artifacts, and traffic patterns, making them easier for cybersecurity defenders to detect. In contrast, proxy tools serve as network tunneling solutions that operate as intermediaries between the victim and the attacker. These methods tend to be more labor-intensive, requiring the attacker to provide their own tools, while also maintaining a higher level of stealth compared to standard backdoors.

In 2025, Webworm expanded its toolkit by introducing two new backdoors. The first, EchoCreep, utilizes the widely-used chat application Discord for command and control. The second, GraphWorm, capitalizes on the Microsoft Graph API for its C2 functionality. Additionally, ESET observed that Webworm has been staging malware and tools in GitHub repositories, allowing for straightforward download of malware onto compromised devices.

Webworm's Discord and Microsoft Graph C2

Webworm continues the trend observed in recent cyber threats, leveraging novel methods of establishing command and control. Creative C2 mechanisms emerging over the past couple of years have included platforms such as Google Calendar and the Solana blockchain.

ESET's attribution of Webworm activities was largely informed by their analysis of decrypted Discord messages utilized by EchoCreep for C2 communication, which led to the discovery of a GitHub repository and an associated IP address consistent with known Webworm infrastructure.

The research primarily focuses on Webworm's activities from 2025, during which it appears to have phased out Trochilus and McRat in favor of the newly developed backdoors. This Chinese APT continues to employ proxy solutions for encrypting communications and establishing connections between internal and external hosts within networks. The proxy solutions employed include port forwarding and tools such as iox, alongside custom solutions like ChainWorm, SmuxProxy, WormFrp, and WormSocket.

"We believe that the operators leverage these tools alongside SoftEther VPN to obscure their tracks and enhance the stealth of their operations. All Webworm proxies and VPN services correspond to cloud servers operated by Vultr and IT7 Networks. Given the variety and complexity of its proxy tools, Webworm may be expanding a more extensive concealed network by enticing victims to run its proxies."

In terms of the new backdoors, ESET's analysis of 400 Discord messages indicated that EchoCreep employs the chat service to upload files, send runtime reports, and receive instructions. Furthermore, Webworm utilizes crafted HTTP requests to facilitate network communications via Discord's API. For GraphWorm, the group exploits OneDrive endpoints to receive new tasks and upload information from compromised victims.

Distinct Discord servers are allocated for each victim of EchoCreep, while a separate OneDrive directory is designated for each GraphWorm victim.

Additionally, Webworm has commenced using its custom proxy solution, WormFrp, to extract configurations from a compromised Amazon S3 bucket, further underscoring its commitment to refining its operational techniques.

How Organizations Can Get in Front of Webworm

The initial access vector, along with much of the attack chain, remains somewhat ambiguous. Webworm employs open-source vulnerability scanners to probe web server files and directories in search of vulnerabilities within a target’s network. This suggests that Webworm may be exploiting exposures in the victims' environments, subsequently deploying backdoors after gaining access.

Researchers recommend that while the motivations behind China's interest in European targets cannot be conclusively determined, Webworm seems to be identifying pivot points or points of initial access to delve deeply into networks "for the purpose of conducting espionage."

To bolster defenses against Webworm, two action items are proposed for European organizations. Primarily, organizations should prioritize system patching and minimizing asset exposure, given that vulnerability discovery appears to be a significant focal point for Webworm. Secondly, organizations should scrutinize communication activities emerging from non-standard processes and applications directed toward endpoints such as Discord, Microsoft Graph, or S3.

"It is crucial for organizations to remain vigilant regarding data transfers to these endpoints," particularly when assessing whether such transfers align with standard operational workflows.