A China-aligned hacking group is routing its espionage operations through Discord and Microsoft’s own cloud infrastructure — using services so ubiquitous that blocking them would cripple legitimate business operations.
Webworm Deploys EchoCreep and GraphWorm to Blend Malicious Traffic with Cloud Services
Webworm, a China-aligned advanced persistent threat active since at least 2022, deployed two new custom backdoors — EchoCreep and GraphWorm — that abuse Discord channels and the Microsoft Graph API respectively as command-and-control infrastructure. The technique deliberately routes malicious communications through platforms that organizations cannot block without disrupting ordinary operations.
EchoCreep operates over Discord channels, supporting file upload and download along with command execution via cmd.exe. GraphWorm extends this capability through Microsoft Graph API and OneDrive: it can spawn new cmd.exe sessions, execute new processes, upload and download files to and from Microsoft OneDrive, and self-terminate on operator instruction.
Webworm’s Targeting Expansion from Asia into European NATO Members
Webworm’s historical targeting has concentrated on government agencies and enterprises in IT services, aerospace, and electric power sectors across Russia, Georgia, Mongolia, and multiple Asian nations. A recent campaign expansion brought the group’s operations to Belgium, Italy, Serbia, Poland, and Spain, as well as a South African university.
The expansion into European NATO member states is notable in context. Poland, which appears on Webworm’s new target list, is simultaneously targeted by Russian-backed APT groups conducting separate espionage operations against Polish government officials’ Signal accounts. The concurrent presence of both China-aligned and Russia-linked threat actors conducting active operations against Polish government targets places the country under simultaneous intelligence pressure from two nation-state actors.
Webworm further obfuscates its staging infrastructure using GitHub repositories impersonating WordPress forks and SoftEther VPN for network tunneling. Analysis of Webworm’s Discord C2 infrastructure identified 433 commands transmitted via the C2 server since the earliest recorded activity on March 21, 2024.
Why Legitimate-Cloud C2 Defeats Network-Level Controls
The strategic logic behind using Discord and Microsoft OneDrive for C2 is that network-layer defenses cannot block these services without significant operational consequences. Enterprises rely on Microsoft’s cloud ecosystem for daily work, and Discord is widely used in developer and gaming communities. Firewall rules that block discord.com or graph.microsoft.com would terminate legitimate business activity.
This forces defenders to shift detection from network-layer blocking to behavioral analytics: identifying unusual patterns in how cloud services are accessed, when files are transferred, and which accounts generate anomalous API calls. That is a substantially more expensive and technically demanding detection posture than simply blocking traffic to known malicious IP addresses or domains.
Webworm joins Mustang Panda, APT41, and other China-linked groups that have adopted legitimate cloud platform C2 as a standard operational technique. The pattern reflects a broader shift in sophisticated APT operations away from custom C2 infrastructure — which generates detectable network signatures — toward legitimate services that blend in with normal enterprise traffic.
EchoCreep and GraphWorm Technical Reach
The two backdoors together provide Webworm operators with comprehensive post-compromise capability: file collection and exfiltration, remote command execution, process spawning, and the ability to terminate the implant remotely when operational security requires it. GraphWorm’s integration with Microsoft OneDrive means exfiltrated data transits Microsoft’s own content delivery infrastructure, indistinguishable at the network layer from an employee syncing documents.
For organizations in the sectors Webworm targets — government, aerospace, electric power, and IT services — detection depends on correlating endpoint telemetry with cloud access logs to identify abnormal patterns in API usage and file movement. Standard network perimeter controls offer limited value against implants that route all communications through allowed cloud services.
