Close Menu
Compliance

China’s Webworm: Using Discord and Microsoft Graph to Hack EU Governments

Staff WriterBy No Comments3 Mins Read2 Views

Fast Facts

  1. Webworm, a China-backed APT group, is shifting its focus from Asia to target European governmental organizations using stealthier proxy tools and custom backdoors like EchoCreep and GraphWorm.

  2. The group employs innovative command-and-control methods via platforms like Discord and Microsoft Graph API, along with staging malware on GitHub for remote operations.

  3. Webworm utilizes cloud-based proxy networks and VPN solutions such as SoftEther VPN and custom tools to evade detection and extend their network infiltration.

  4. To defend against Webworm, organizations should prioritize patching vulnerabilities, monitor unusual communication with non-standard apps, and scrutinize data flows to unconventional endpoints.

Webworm’s New Tactics Use Popular Online Platforms

Recently, a hacking group backed by China, called Webworm, has shifted its focus from Asia to Europe. This group targets government agencies in countries like Belgium, Italy, Serbia, Spain, and Poland. They use a variety of clever methods to stay hidden. For example, in 2025, Webworm introduced two new backdoors called EchoCreep and GraphWorm. EchoCreep uses Discord, a popular chat app, to send commands and share files. Meanwhile, GraphWorm relies on Microsoft Graph API and OneDrive to control and communicate with infected devices. By using these well-known online tools, Webworm makes it harder for security teams to detect their activities. They also stage malware on GitHub, making it easy for them to download harmful files onto victim computers. This approach shows that Webworm is always evolving, trying to stay one step ahead of detection.

Understanding Webworm’s Stealthy Approach and How Organizations Can Protect Themselves

Webworm takes a sneaky approach by using legitimate network tools, like SOCKS proxies and custom solutions, to hide its operations. These proxies encrypt traffic and help create a hidden network, making it difficult for defenders to track. The group often searches for vulnerabilities in web servers before launching their attacks. They use open-source tools to scan for weaknesses and then deploy backdoors once they gain access. To fight back, organizations should keep their systems updated and reduce their exposure to vulnerabilities. They also need to closely monitor unusual activity on platforms like Discord and Microsoft Graph, especially data transfers that don’t fit normal patterns. By being vigilant and proactive, organizations can better defend against Webworm’s clever and evolving tactics, helping to secure critical government and infrastructure networks from sophisticated cyber threats.

Expand Your Tech Knowledge

Learn how the Internet of Things (IoT) is transforming everyday life.

Discover archived knowledge and digital history on the Internet Archive.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.