China's Webworm hits EU govs via Discord and Microsoft Graph

What happened

Webworm, a Chinese APT (advanced persistent threat — a state-sponsored hacking group), has compromised EU government entities by hiding their C2 (command-and-control — the infrastructure that runs compromised systems) inside legitimate cloud services.

The group weaponized Discord and the Microsoft Graph API as covert command channels. In practice: implants on victim machines communicate with attacker-controlled Discord channels or OneDrive mailboxes instead of dedicated C2 servers that defenders could easily block or flag.

To tunnel traffic and obscure the real origin of connections, Webworm deployed SoftEther VPN as a *SOCKS proxy* (a middleman layer that routes attacker traffic through compromised hosts, masking the true source IP). The initial access vector has not been publicly confirmed, but the TTPs (tactics, techniques, and procedures — the attacker's operational playbook) align with previous Webworm campaigns against government and defense targets across Asia and Europe.

Why it matters

Using trusted cloud services as C2 infrastructure is not new, but adoption is accelerating. Discord, Slack, Microsoft Graph, Telegram, and similar platforms share a critical defensive blind spot:

• HTTPS traffic to `graph.microsoft.com` or `discord.com` is almost never blocked at corporate firewalls.
• Classic IOC (indicators of compromise — technical fingerprints that reveal an attack) detection based on malicious IPs or domains fails when C2 lives inside Microsoft or Discord infrastructure.
• Domain reputation rules are completely blind to this technique.

The SoftEther VPN SOCKS proxy layer adds another evasion tier: network analysis sees legitimate-looking outbound connections from the compromised host, with no anomalous traffic patterns to trigger alerts.

This positions Webworm as a group with mature evasion capabilities — not an opportunistic actor.

What to do

• Map and restrict which hosts in your network have legitimate reasons to reach `graph.microsoft.com` and `discord.com`. Production servers, critical infrastructure, and non-interactive endpoints should not be connecting to Discord.
• Enable granular Microsoft Graph API logging in your Azure tenant (Unified Audit Log + Entra ID sign-in logs). Hunt for registered apps with Mail.Read or Files.ReadWrite permissions you don't recognize.
• Audit outbound connections to SoftEther endpoints or non-standard VPN tunnel ports from internal hosts that aren't user devices.
• Check published IOCs from Dark Reading and threat intel platforms (MISP, AlienVault OTX) for campaign-specific indicators.
• In high-criticality environments, evaluate zero-trust egress: deny all outbound traffic by default unless explicitly allowlisted.

The Discord + Graph API C2 pattern isn't going away — it's too effective. If you don't have visibility into cloud-bound traffic from your infrastructure today, you likely won't have it when you need it.