Webworm Group Exploits Discord and MS Graph to Target EU Governments

The China-nexus threat actor known as Webworm is currently conducting a sophisticated cyber-espionage campaign targeting European government entities by leveraging legitimate cloud services to mask its malicious activities. By utilizing platforms like Discord and the Microsoft Graph API, the APT group effectively blends its command-and-control (C2) traffic with routine business communications, making detection significantly more difficult for traditional security measures. According to Dark Reading, the group has also integrated SOCKS proxies and specialized tunneling tools to maintain persistence and facilitate Lateral Movement within compromised networks.

Technical Analysis of the Webworm Discord C2 Infrastructure

Webworm’s reliance on Discord for payload delivery and C2 management represents a calculated shift in their TTP framework. Discord’s Content Delivery Network (CDN) is frequently used to host malicious binaries. Since many organizations do not block Discord at the firewall level—due to its use in developer communities or as a communication tool—the initial download of malware often goes unnoticed. Once the malware is executed, it uses Discord’s API to communicate back to the attackers, effectively hiding the C2 traffic within encrypted HTTPS streams directed at a trusted domain.

Further analysis reveals that the group employs customized backdoors that interact with the Microsoft Graph API. This interface allows the attackers to use legitimate Microsoft 365 services, such as OneDrive or Outlook, as a repository for exfiltrated data or as a source for further instructions. Because government agencies heavily rely on Microsoft’s ecosystem, traffic to these endpoints is rarely flagged as anomalous by a SIEM or automated monitoring tools.

Microsoft Graph API Abuse by APT Actors

The abuse of the Microsoft Graph API is particularly concerning because it bypasses many standard network defenses. By obtaining OAuth tokens, the attackers can interact with the API to upload or download files without establishing a direct connection to a known-malicious server. This technique renders many IP-based reputation filters obsolete. Security teams must look beyond the destination IP and analyze the nature of the API calls being made, specifically looking for unusual patterns in file uploads or account permissions that do not align with standard user behavior.

Network Tunneling and Detecting SoftEther VPN Tunneling

Beyond cloud API abuse, Webworm utilizes SoftEther VPN to create encrypted tunnels between the victim’s internal network and the attacker’s infrastructure. SoftEther is a highly versatile, open-source VPN software that can masquerade its traffic as standard HTTPS (port 443), facilitating the bypass of firewalls and deep packet inspection. In this campaign, SoftEther functions as a SOCKS proxy, providing the attackers with a stable bridge for maintaining access even if individual malware components are identified and removed.

Defenders should prioritize detecting SoftEther VPN tunneling by monitoring for long-duration HTTPS connections to unfamiliar endpoints and looking for the installation of virtual network adapters on sensitive servers. An EDR solution can be configured to alert on the execution of SoftEther binaries or the modification of network interface configurations that typically accompany the deployment of such tools.

Actionable Recommendations for Defenders

To counter this threat, the SOC must move toward a Zero Trust architecture that scrutinizes all outgoing traffic, even to trusted cloud providers. Key mitigations include:

• Restrict Cloud Storage and Messaging: Implement strict egress filtering to block access to Discord and other non-essential messaging platforms on sensitive government systems.
• API Monitoring: Use advanced logging to monitor Microsoft Graph API activity. Alert on suspicious movements, such as a single account accessing an unusually high volume of files or directories it does not typically interact with.
• Traffic Analysis: Employ network traffic analysis (NTA) to identify high-volume, long-standing connections that characterize SOCKS proxying and VPN tunneling.
• Credential Protection: Enforce multi-factor authentication (MFA) and monitor for the unauthorized generation of OAuth tokens, which are essential for Webworm’s use of Microsoft services.