China's Webworm Uses Discord, Microsoft Graphs to Hack EU Governments

China-linked APT group Webworm has compromised European government networks using Discord and Microsoft Graph as command-and-control channels, according to recent threat intelligence findings.

The group exploited legitimate cloud services to mask malicious traffic. Discord's platform and Microsoft's Graph API served as covert communication pathways, allowing attackers to issue commands and exfiltrate data without triggering traditional network defenses. This technique leverages the trust organizations place in mainstream services.

Webworm operators deployed SOCKS proxies, including SoftEther VPN, to obfuscate their infrastructure. These tunneling tools functioned as intermediaries between victim systems and attacker-controlled servers, complicating attribution and network forensics. The use of legitimate VPN software alongside major cloud platforms created a layered obfuscation strategy that evaded detection longer than conventional backdoors.

The intrusions targeted European government entities, suggesting state-sponsored intelligence gathering objectives. Webworm typically focuses on espionage and long-term persistence rather than disruptive attacks. The group's use of civilian communication platforms indicates operational sophistication and resource constraints, as direct infrastructure requires registration and monitoring.

Organizations defending against this threat should implement network segmentation and monitor Graph API usage patterns for anomalous activity. Discord and similar platforms generate substantial legitimate traffic, making detection difficult without behavioral baseline analysis. Endpoint detection and response tools should flag suspicious SoftEther VPN instantiation and SOCKS proxy establishment.

The incident demonstrates how commodity tools and public services become weaponized in state-sponsored campaigns. Defenders cannot simply block these services. Instead, security teams require visibility into encrypted tunnels and API calls originating from internal networks. Log aggregation and threat intelligence integration prove essential for identifying when legitimate tools serve attacker objectives.

European government agencies should assume Webworm maintains persistent access unless forensic investigation confirms complete remediation.