Webworm APT Uses Discord And Microsoft Graph To Target European Governments

A China-linked cyber-espionage group called Webworm is intensifying attacks against European government organizations by abusing trusted platforms and unconventional command-and-control techniques to hide in plain sight. This group blends malicious operations with legitimate cloud services and stealthy proxy networks to infiltrate, evade detection, and maintain long-term access to high-value systems.

According to security vendor ESET, Webworm is an advanced persistent threat (APT) group believed to be aligned with China, active since at least 2022, and continuously refining its tools and attack methods over time. This group originally focused on organizations in Asia but has recently expanded its operations, particularly toward European government entities and institutions in other regions, such as South Africa.

New malware tools abuse Discord and Microsoft Graph API

This research highlighted that previous campaigns used popular remote access trojans (RATs), but this group has moved toward proxy-based tools and lightweight components that are harder to detect. In 2025, Webworm introduced two new malware tools (EchoCreep and GraphWorm) to strengthen its covert operations. EchoCreep uses Discord as a communication channel, which allows attackers to send commands and transfer data through a popular messaging platform. Moreover, GraphWorm relies on the Microsoft Graph API to control infected systems and move data via legitimate cloud services. These tools blend malicious activity with normal cloud service traffic.

Webworm relies heavily on a network of proxy and tunneling tools to route its traffic through compromised systems, which effectively builds concealed infrastructures that hide its activities. It also stages malware on public platforms like GitHub and uses widely trusted cloud services (such as Discord and Microsoft services) for command-and-control, which makes its operations harder to detect.

The detailed analysis of hundreds of intercepted Discord messages and attacker infrastructure revealed that the group conducted reconnaissance on dozens of targets, which helped researchers trace the campaign back to Webworm. The group’s constant adjustment of its tools and techniques highlights its emphasis on maintaining long-term access while avoiding detection by evolving security defenses.

How can organizations defend against stealthy cloud-based intrusions?

Organizations should strengthen their defenses by closely monitoring how legitimate cloud services are used within their networks. This means implementing deeper inspection of outbound traffic, especially unusual patterns involving APIs or messaging platforms, and limiting unnecessary access to such services where possible. It’s also important to improve visibility into network activity because the group’s techniques are designed to blend in with normal operations.

Additionally, organizations should harden their external-facing systems and proactively manage vulnerabilities, as the group conducts reconnaissance and exploits weaknesses to gain initial access. Moreover, administrators must ensure regular patching, monitoring for suspicious use of administrative tools, and auditing publicly exposed assets like cloud storage or code repositories to reduce attack surfaces. It’s also recommended to adopt a layered security approach that emphasizes behavior-based detection and continuous threat hunting to detect and disrupt stealthy intrusions.