China's Webworm Uses Discord, Microsoft Graphs to Hack EU Govts.
Dark ReadingArchived May 22, 2026✓ Full text saved
The advanced persistent threat group also relied on SOCKS proxies like SoftEther VPN, tunneling tools that act as a middleman between victim and attacker.
Full text archived locally
✦ AI Summary· Claude Sonnet
ENDPOINT SECURITY
THREAT INTELLIGENCE
APPLICATION SECURITY
CYBER RISK
NEWS
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
China's Webworm Uses Discord, Microsoft Graphs to Hack EU Govts.
The advanced persistent threat group also relied on SOCKS proxies like SoftEther VPN, tunneling tools that act as a middleman between victim and attacker.
Alexander Culafi,Senior News Writer,Dark Reading
May 22, 2026
4 Min Read
SOURCE: TRUE IMAGES VIA ALAMY STOCK PHOTO
A China-backed persistent threat actor known as Webworm is targeting governmental organizations across Europe, and it's using unusual command-and-control mechanisms to do so.
Security vendor ESET this week published research detailing recent activity surrounding Webworm, a China-aligned APT group first reported on in 2022. Although the group initially began targeting organizations in Asia, ESET's Eric Howard wrote that the threat actor has shifted its focus to Europe, including governmental organizations in Belgium, Italy, Serbia, Spain, and Poland. Additional additional activity in South Africa has also been detected.
The research predominantly covers Webworm's activities between early 2024 and early 2025, as well as how its tactics, techniques, and procedures (TTPs) have evolved since 2022. The threat actor originally relied on well-known malware families like McRat and Trochilus, though it has more recently pivoted toward existing and custom proxy tools. In these cases, which were mainly observed in 2024, Webworm relied on "legitimate or semi-legitimate tools, such as SOCKS proxies (SoftEther VPN) and other networking solutions."
Related:Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia
The downside to a lot of conventional, well-known malware is that it generally has signatures, artifacts, and traffic patterns that are easy for defenders to detect. But proxy tools are network tunneling tools that act as a middleman between victim and attacker. These are often more manual and require the attacker to bring their own tooling and are generally much stealthier than the typical backdoor.
In 2025, however, Webworm introduced two new backdoors to its repertoire. One is EchoCreep, which uses the popular chat application Discord to facilitate command and control (C2). The other is GraphWorm, which relies on the Microsoft Graph API for C2. ESET also observed Webworm staging malware and tools in GitHub repositories so the attackers can easily download malware onto the victim's machine.
Webworm's Discord and Microsoft Graph C2
Webworm continues the trend of threat actors using novel approaches to facilitate C2. Creative C2 approaches seen over the last year or two include Google Calendar and the Solana blockchain.
ESET made its attribution based on its work decrypting Discord messages used by EchoCreep for C2, which ultimately led to a GitHub repository and the discovery of an IP address that matches a "known Webworm IP," Howard wrote.
The research mainly covers Webworm's 2025 activities, when it apparently abandoned Trochilus and McRat in favor of the new backdoors. The Chinese APT continues to use proxy solutions for encrypting communications as well as to support chaining between hosts internally and externally to a network. These proxy solutions include port forwarding and proxy tool iox as well as custom tools ChainWorm, SmuxProxy, WormFrp, and WormSocket.
Related:FCC Softens Ban on Foreign-Made Routers
"We believe that the operators use these tools in conjunction with SoftEther VPN to better cover their tracks and increase the stealth of their activities," the blog post read. "All Webworm proxies and VPN services are cloud servers that belong to network infrastructure controlled by Vultr and IT7 Networks. Based on the number of proxy tools and their complexities, Webworm may be creating a much larger hidden network by tricking victims into running its proxies."
As for the new backdoors, ESET found based on analyzing 400 Discord messages that EchoCreep uses the chat service to upload files, send runtime reports, and receive commands. Webworm also uses crafted HTTP requests to pass network communications through Discord's API. For GraphWorm, the threat actor relies on OneDrive endpoints to get new jobs and upload victim information.
Different Discord servers are used for each EchoCreep victim, and similarly a different OneDrive directory for each GraphWorm victim.
Related:VoidStealer Malware Darts Past Google Chrome's Encryption
Separately, the blog post noted that the threat actor "had started using its custom proxy solution WormFrp to retrieve configurations from a compromised Amazon S3 bucket," further showing Webworm's continuous commitment to evolving its techniques.
How Organizations Can Get in Front of Webworm
The initial access vector (as well as much of the attack chain) remains unclear, though Howard noted Webworm uses open source vulnerability scanners to scrape web server files and directories for bugs in a target's network. This means that Webworm possibly targeted victims through vulnerabilities in their environment and deployed the backdoors post-compromise.
ESET's blog post contains indicators of compromise.
In an email, Howard tells Dark Reading that although he can't speak to what China is looking for from Europe or these victim environments, Webworm appears to be searching for pivot points or points of initial access to burrow "as far in as possible for the purposes of performing espionage."
As for what European organizations can do, the ESET researcher makes two suggestions. One, as vulnerability discovery appears to be a key focus for Webworm, orgs should keep systems patched and limit the exposure of assets. Two, they should review communication activities from non-standard processes and applications to endpoints like Discord, Microsoft Graph, or S3.
"Organizations should also be cognizant of data transfers to the same endpoints," he says, "especially when considering if it's not a part of the standard workflow."
Read more about:
Europe
About the Author
Alexander Culafi
Senior News Writer, Dark Reading
Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.
At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.
He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management
Access More Research
Webinars
Building SecOps That Make the Most of Every Dollar
AI-Powered Cybersecurity for Resource-Constrained Organizations
AI-Powered Credential Security: Intelligence Without Exposure
How Security Teams should apply Threat Intelligence into their Defenses
What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?
More Webinars
You May Also Like
ENDPOINT SECURITY
2 Separate Campaigns Probe Corporate LLMs for Secrets
by Elizabeth Montalbano, Contributing Writer
JAN 12, 2026
ENDPOINT SECURITY
Pro-Russian Hackers Use Linux VMs to Hide in Windows
by Alexander Culafi
NOV 04, 2025
ENDPOINT SECURITY
Chrome Store Features Extension Poisoned With Sophisticated Spyware
by Elizabeth Montalbano, Contributing Writer
JUL 07, 2025
ENDPOINT SECURITY
We've All Been Wrong: Phishing Training Doesn't Work
by Nate Nelson, Contributing Writer
JUL 01, 2025
Editor's Choice
THREAT INTELLIGENCE
From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber
byDark Reading Editorial Team
MAY 6, 2026
31 MIN READ
CYBER RISK
Physical Cargo Theft Gets a Boost From Cybercriminals
byRobert Lemos
MAY 4, 2026
5 MIN READ
CYBER RISK
NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
byDark Reading Editorial Team
APR 28, 2026
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
RSAC 2026: key news & insights
At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more
Get Your Recap
Webinars
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
How Security Teams should apply Threat Intelligence into their Defenses
THURS, JUNE 11, 2026 AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS