BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi
BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
China's Webworm hits EU govs via Discord and Microsoft Graph
Back to homeCiberataques

China's Webworm hits EU govs via Discord and Microsoft Graph

Chinese APT Webworm targets EU governments using Discord and Microsoft Graph API as covert command-and-control channels.

  1. Home
  2. ›
  3. Ciberataques
  4. ›
  5. China's Webworm hits EU govs via Discord and Microsoft Graph
by Gorka El Bochi Morillo
·
2 min read
·May 26, 2026

What happened

Webworm, a Chinese APT (advanced persistent threat — a state-sponsored hacking group), has compromised EU government entities by hiding their C2 (command-and-control — the infrastructure that runs compromised systems) inside legitimate cloud services.

The group weaponized Discord and the Microsoft Graph API as covert command channels. In practice: implants on victim machines communicate with attacker-controlled Discord channels or OneDrive mailboxes instead of dedicated C2 servers that defenders could easily block or flag.

To tunnel traffic and obscure the real origin of connections, Webworm deployed SoftEther VPN as a *SOCKS proxy* (a middleman layer that routes attacker traffic through compromised hosts, masking the true source IP). The initial access vector has not been publicly confirmed, but the TTPs (tactics, techniques, and procedures — the attacker's operational playbook) align with previous Webworm campaigns against government and defense targets across Asia and Europe.

Why it matters

Using trusted cloud services as C2 infrastructure is not new, but adoption is accelerating. Discord, Slack, Microsoft Graph, Telegram, and similar platforms share a critical defensive blind spot:

  • HTTPS traffic to `graph.microsoft.com` or `discord.com` is almost never blocked at corporate firewalls.
  • Classic IOC (indicators of compromise — technical fingerprints that reveal an attack) detection based on malicious IPs or domains fails when C2 lives inside Microsoft or Discord infrastructure.
  • Domain reputation rules are completely blind to this technique.

The SoftEther VPN SOCKS proxy layer adds another evasion tier: network analysis sees legitimate-looking outbound connections from the compromised host, with no anomalous traffic patterns to trigger alerts.

This positions Webworm as a group with mature evasion capabilities — not an opportunistic actor.

What to do

  • Map and restrict which hosts in your network have legitimate reasons to reach `graph.microsoft.com` and `discord.com`. Production servers, critical infrastructure, and non-interactive endpoints should not be connecting to Discord.
  • Enable granular Microsoft Graph API logging in your Azure tenant (Unified Audit Log + Entra ID sign-in logs). Hunt for registered apps with Mail.Read or Files.ReadWrite permissions you don't recognize.
  • Audit outbound connections to SoftEther endpoints or non-standard VPN tunnel ports from internal hosts that aren't user devices.
  • Check published IOCs from Dark Reading and threat intel platforms (MISP, AlienVault OTX) for campaign-specific indicators.
  • In high-criticality environments, evaluate zero-trust egress: deny all outbound traffic by default unless explicitly allowlisted.

The Discord + Graph API C2 pattern isn't going away — it's too effective. If you don't have visibility into cloud-bound traffic from your infrastructure today, you likely won't have it when you need it.

What to do

  • Restrict Discord and Microsoft Graph API access to only hosts that explicitly need it.
  • Enable Unified Audit Log in Azure and hunt for registered apps with suspicious Graph permissions.
  • Detect SoftEther VPN or SOCKS tunnel traffic originating from critical infrastructure hosts.

Share this story

Help more people discover BBLabs News.

China's Webworm hits EU govs via Discord and Microsoft Graph
VerticalDownload image
LinkedInXWhatsApp

Interested in Ciberataques?

Subscribe to this stream and get the most relevant news every day — no spam, no noise.

Subscribe

Related articles

Destacado
Ciberataques4 jun 2026·2 min

Megalodon malware hits 5,500+ GitHub repos in 6 hours

Megalodon malware pushed malicious commits to 5,500+ GitHub repos in six hours, stealing developer credentials and secrets.

  • Audit recent GitHub commits for unauthorized changes or unknown accounts
  • Rotate all tokens and API keys with write access immediately
  • Enable GitHub secret scanning with push protection across your org
Gorka El Bochi Morillo
Leer artículo
Ciberataques3 jun 2026·2 min

JINX-0164 hits crypto firms with fake recruiter macOS malware

JINX-0164 uses fake recruiter lures to deploy custom macOS malware against crypto firms and steal digital assets.

Leer artículo
Ciberataques1 jun 2026·2 min

Dutch police arrest admins of bulletproof hosting used by Russian hackers

Dutch authorities arrested two admins of a bulletproof hosting service — infrastructure that ignores legal takedown requests — used by Russia-aligned threat actors.

Leer artículo

Want to get news like this every day?

Browse all articles
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi