
Chinese APT Webworm targets EU governments using Discord and Microsoft Graph API as covert command-and-control channels.
Webworm, a Chinese APT (advanced persistent threat — a state-sponsored hacking group), has compromised EU government entities by hiding their C2 (command-and-control — the infrastructure that runs compromised systems) inside legitimate cloud services.
The group weaponized Discord and the Microsoft Graph API as covert command channels. In practice: implants on victim machines communicate with attacker-controlled Discord channels or OneDrive mailboxes instead of dedicated C2 servers that defenders could easily block or flag.
To tunnel traffic and obscure the real origin of connections, Webworm deployed SoftEther VPN as a *SOCKS proxy* (a middleman layer that routes attacker traffic through compromised hosts, masking the true source IP). The initial access vector has not been publicly confirmed, but the TTPs (tactics, techniques, and procedures — the attacker's operational playbook) align with previous Webworm campaigns against government and defense targets across Asia and Europe.
Using trusted cloud services as C2 infrastructure is not new, but adoption is accelerating. Discord, Slack, Microsoft Graph, Telegram, and similar platforms share a critical defensive blind spot:
The SoftEther VPN SOCKS proxy layer adds another evasion tier: network analysis sees legitimate-looking outbound connections from the compromised host, with no anomalous traffic patterns to trigger alerts.
This positions Webworm as a group with mature evasion capabilities — not an opportunistic actor.
The Discord + Graph API C2 pattern isn't going away — it's too effective. If you don't have visibility into cloud-bound traffic from your infrastructure today, you likely won't have it when you need it.
Help more people discover BBLabs News.
Want to get news like this every day?
Browse all articles