Could this attack have been prevented?

Implementing advanced anomaly detection systems and strict access controls for cloud services could have mitigated the risk by identifying and blocking unauthorized use of platforms like Discord and Microsoft Graph API.

What are the implications for organizations using cloud services?

Organizations must recognize the potential for cloud services to be exploited for malicious activities and should implement comprehensive security strategies that include monitoring, access controls, and employee training to detect and prevent such abuses.

Webworm's Innovative Use of Discord and Microsoft Graph API in Cyber Attacks

Discover how the China-aligned APT group Webworm leveraged popular cloud services to conduct sophisticated cyber-espionage against European governments in 2025.

Published: May 22, 2026

Share this on:

Executive Summary

In 2025, the China-aligned advanced persistent threat (APT) group known as Webworm expanded its operations to target governmental organizations across Europe, including Belgium, Italy, Poland, Serbia, and Spain. The group employed sophisticated backdoors, EchoCreep and GraphWorm, which utilized Discord and Microsoft Graph API for command-and-control (C&C) communications, respectively. This approach allowed Webworm to conceal malicious activities within legitimate services, complicating detection efforts. Additionally, the group leveraged custom proxy tools like WormFrp, ChainWorm, SmuxProxy, and WormSocket to establish a covert network infrastructure, further enhancing their stealth capabilities. (eset.com)

The incident underscores a significant evolution in cyber-espionage tactics, highlighting the increasing use of popular cloud services for C&C communications. This trend poses new challenges for cybersecurity defenses, as traditional detection methods may struggle to identify malicious activities embedded within legitimate platforms. Organizations must adapt by implementing advanced monitoring and anomaly detection systems to effectively counter such sophisticated threats.

Why This Matters Now

Attack Path Analysis

Webworm initiated the attack by exploiting vulnerabilities in public-facing applications to gain initial access. They then escalated privileges by deploying custom backdoors like EchoCreep and GraphWorm. Utilizing proxy tools such as SoftEther VPN, they moved laterally within the network. For command and control, they leveraged Discord and Microsoft Graph API to communicate with compromised systems. Data exfiltration was conducted through these covert channels, and the impact included unauthorized access to sensitive governmental information.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

Webworm exploited vulnerabilities in public-facing applications to gain initial access to target networks.

Confidence:

High

MITRE ATT&CK® Techniques

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Resource Development

T1583.003

Acquire Infrastructure: Virtual Private Server

Resource Development

T1584.006

Compromise Infrastructure: Web Services

Resource Development

T1608.002

Stage Capabilities: Upload Tool

Reconnaissance

T1595.003

Active Scanning: Wordlist Scanning

Reconnaissance

T1595.002

Active Scanning: Vulnerability Scanning

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Change Control Processes

Control ID: 6.4.1

The use of unauthorized tools and backdoors like EchoCreep and GraphWorm indicates a lack of proper change control processes, potentially leading to unauthorized changes and security vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident highlights deficiencies in the organization's cybersecurity policy, particularly in monitoring and controlling the use of third-party services like Discord and Microsoft Graph for command and control.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of cloud services and VPNs by the attackers suggests inadequate ICT risk management and oversight of third-party service providers.

CISA ZTMM 2.0 – Network and Environment Segmentation

Control ID: Pillar 3

The attackers' ability to move laterally using proxy tools indicates insufficient network segmentation and monitoring, allowing unauthorized internal access.

NIS2 Directive – Incident Handling

Control ID: Article 21

The delayed detection of the attack points to weaknesses in incident handling procedures, including detection, analysis, and response capabilities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

Primary target of Webworm APT targeting European governments; critical exposure to Discord/Microsoft Graph C2 channels requiring enhanced egress filtering and east-west traffic security.

Information Technology/IT

High risk from custom proxy tools and GitHub-staged malware; requires zero trust segmentation, multicloud visibility, and threat detection for encrypted traffic patterns.

Telecommunications

Vulnerable to SOCKS proxy infiltration and SoftEther VPN exploitation; needs inline IPS protection and secure hybrid connectivity to prevent lateral movement attacks.

Financial Services

Critical exposure to APT espionage through compromised cloud infrastructure; requires compliance with PCI/NIST standards and advanced anomaly detection for command-and-control activities.

Sources

China's Webworm Uses Discord, Microsoft Graphs to Hack EU Governmentshttps://www.darkreading.com/endpoint-security/chinas-webworm-discord-microsoft-graphs
Verified

ESET uncovers the expanded arsenal of China-aligned Webworm; European governments targetedhttps://www.eset.com/us/about/newsroom/research/eset-research-china-aligned-webworm-european-governments-targeted/

Verified

China-Linked Webworm APT Evolves Tactics, Expands to European Targetshttps://www.infosecurity-magazine.com/news/webworm-apt-evolves-tactics/

Verified

Frequently Asked Questions

Webworm's tactics revealed vulnerabilities in monitoring and controlling the use of legitimate cloud services for malicious purposes, indicating a need for enhanced oversight and security measures for such platforms.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely reduce the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit vulnerabilities in public-facing applications may be constrained by enforcing strict access controls and monitoring.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The deployment of custom backdoors may be limited by enforcing strict segmentation and access controls.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement may be constrained by enforcing east-west traffic controls and segmentation.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The establishment of command and control channels may be limited by enforcing strict egress controls and monitoring.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The exfiltration of sensitive data may be constrained by enforcing strict egress policies and monitoring.

Impact (Mitigations)

The unauthorized access to sensitive information may be limited by enforcing strict segmentation and access controls.

Impact at a Glance

Affected Business Functions

Government Communications
Public Services
National Security Operations

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Confidential government documents and communications

Recommended Actions

• Implement robust patch management to address vulnerabilities in public-facing applications.
• Deploy Zero Trust Segmentation to limit lateral movement within the network.
• Utilize East-West Traffic Security to monitor and control internal traffic flows.
• Enforce Egress Security & Policy Enforcement to detect and block unauthorized outbound communications.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Webworm's Innovative Use of Discord and Microsoft Graph API in Cyber Attacks

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Application Layer Protocol: Web Protocols

Acquire Infrastructure: Virtual Private Server

Compromise Infrastructure: Web Services

Stage Capabilities: Upload Tool

Active Scanning: Wordlist Scanning

Active Scanning: Vulnerability Scanning

Potential Compliance Exposure

PCI DSS 4.0 – Change Control Processes

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Network and Environment Segmentation

NIS2 Directive – Incident Handling

Sector Implications

Government Administration

Information Technology/IT

Telecommunications

Financial Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads