Webworm APT Deploys Discord, MS Graph Backdoors Against Europe

ESET researchers have exposed an expanded toolkit from Webworm, a China-aligned APT group that has shifted its focus from Asian targets to European governments. The group now deploys two custom backdoors—EchoCreep and GraphWorm—that abuse Discord and Microsoft Graph API for command-and-control communications, making detection significantly harder.

The research, published May 20, 2026, details attacks against government organizations in Belgium, Italy, Poland, Serbia, and Spain. ESET decrypted over 400 Discord messages from an attacker-operated server, revealing reconnaissance activity against more than 50 unique targets dating back to March 2024.

EchoCreep: Discord as C2

EchoCreep uses Discord's infrastructure to blend malicious traffic with legitimate corporate communications. Many organizations allow Discord for employee coordination, making it an effective cover channel.

The backdoor supports:

• File upload/download via Discord attachments
• Command execution through cmd.exe
• Runtime reporting to attacker-controlled Discord servers

Discord's API provides reliable, encrypted communications that don't trigger the same network alerts as connections to suspicious IP addresses. The traffic looks like normal Discord usage—because it is, from a protocol perspective.

This technique isn't new, but its adoption by a state-aligned APT signals maturation. We've seen similar abuse of legitimate services for C2 in criminal malware campaigns. The difference is attribution and targeting: Webworm goes after government networks, not cryptocurrency wallets.

GraphWorm: Microsoft 365 as Infrastructure

GraphWorm represents a more sophisticated approach, leveraging Microsoft Graph API for C2 communications. ESET found it exclusively uses OneDrive endpoints for:

1. Job retrieval — Fetching commands from attacker-controlled OneDrive locations
2. Data exfiltration — Uploading victim information to cloud storage
3. Session management — Spawning cmd.exe sessions and executing arbitrary processes
4. Self-termination — Cleaning up on operator command

The Microsoft 365 integration makes detection even harder. Traffic to graph.microsoft.com and OneDrive APIs is expected in any organization using Microsoft cloud services. Distinguishing malicious API calls from legitimate ones requires behavioral analysis and user attribution.

Evolution of Webworm's Toolkit

Webworm has been active since at least 2022, initially documented by Symantec. The group previously relied on open-source tools like Trochilus RAT and 9002 RAT, but has since developed custom capabilities.

Their current toolkit includes:

Tool	Purpose
EchoCreep	Discord-based backdoor
GraphWorm	Microsoft Graph/OneDrive C2
WormFrp	Custom proxy
ChainWorm	Proxy chaining
SmuxProxy	Additional proxy capability
WormSocket	Network tunneling
SoftEther VPN	Traffic obfuscation

The shift to custom tools suggests operational security concerns—or simply that their open-source tools were becoming too detectable. Either way, defenders now face APT-grade custom malware rather than commodity RATs.

Target Expansion to Europe

Webworm originally focused on Asian targets, including Russia, Georgia, Mongolia, and several Southeast Asian nations. The European expansion represents a strategic shift toward NATO-aligned governments.

ESET identified targeting across multiple sectors:

• Government agencies (primary focus)
• IT services (potential supply chain angle)
• Aerospace (defense and dual-use technology)
• Electric power (critical infrastructure)

The aerospace and power sector targeting aligns with Chinese strategic interests in technology acquisition and critical infrastructure mapping. This mirrors activity from other China-aligned groups we've covered, including APT28's targeting of maritime transport.

Initial Access and Reconnaissance

ESET observed Webworm using web server enumeration tools—dirsearch and nuclei—for initial reconnaissance. These tools automate vulnerability discovery and brute-force attacks against exposed web applications.

Specific initial compromise vectors remain undisclosed, but the tooling suggests the group targets externally-facing infrastructure before deploying backdoors. Organizations with exposed web applications, VPN portals, or management interfaces should consider themselves potential targets.

Detection Challenges

Both backdoors present significant detection challenges:

Network-level detection fails because traffic goes to trusted services (Discord, Microsoft 365). You can't simply block these domains without breaking legitimate functionality.

Endpoint detection requires identifying the malware itself, but the backdoors use common system utilities (cmd.exe) and legitimate APIs. Behavioral analysis must distinguish malicious Graph API calls from normal OneDrive synchronization.

Cloud-side detection depends on Microsoft's and Discord's ability to identify malicious accounts—a responsibility that typically falls outside victim organizations' control.

Recommendations

Organizations potentially targeted by Webworm should:

1. Audit Discord usage — Know which accounts access Discord from corporate networks and why
2. Monitor Graph API activity — Look for unusual OneDrive access patterns, particularly automated downloads to non-standard locations
3. Enable conditional access — Restrict Graph API access to managed devices and known applications
4. Hunt for persistence — Check for unexpected scheduled tasks, startup entries, and service installations
5. Review web application security — Ensure external-facing services are patched and hardened against enumeration

For deeper context on Chinese APT operations and their evolution, see our recommended reading on state-sponsored cyber operations.

Attribution Confidence

ESET notes potential overlaps between Webworm and other China-nexus clusters, including FishMonger (Aquatic Panda) and SixLittleMonkeys. However, researchers characterize these connections as "tenuous" due to the groups' shared reliance on open-source tooling and similar techniques.

Attribution in this space remains challenging. What's clear is that a capable, persistent threat actor is actively targeting European government infrastructure using sophisticated custom tooling. The specific label matters less than the operational reality.