Key Points
- China-linked threat actor Webworm is expanding espionage operations, targeting EU government agencies using new backdoors for covert command-and-control (C2) operations.
- Webworm is increasingly abusing trusted platforms (e.g., Microsoft Graph, Discord, GitHub, and proxy tools) to blend malicious activity into normal enterprise traffic.
- IANS Faculty say even though these attacks are sophisticated, blocking unnecessary apps and enforcing “deny by default” policies can eliminate large parts of the threat surface.
Chinese APT Webworm Targeted EU Governments Using Discord, Microsoft Graph
Chinese threat actor Webworm is targeting European government organizations with custom backdoors designed for command-and-control (C2) operations.
Security researchers at ESET discovered that Webworm added two new backdoors to its attack arsenal in 2025. These new custom backdoors, which leverage Microsoft Graph and Discord to facilitate C2 communications, were first seen targeting organizations in Asia but were more recently used against several European government organizations.
"Attackers are using takedown-proof systems for command and control and exfiltration. Those systems are super resilient, but their use is a bit more suspicious in corporate environments. Webworm, and others, are using systems like the Microsoft Graph, GitHub, Discord which are not as resilient as takedown-proof systems, but are much stealthier." Guillaume Ross, IANS Faculty.
Webworm was first detected in 2022 and has been linked to other Chinese APT groups including SixLittleMonkeys and FishMonger. The group was first observed using malware families like McRat and Trochilus before pivoting to custom proxy tools.
Big Picture
Webworm is hiding its activity inside tools that either do not have a real enterprise use case or are legitimate but commonly misused by attackers, like SOCKS proxy software. Security teams can control a lot of this activity by enforcing basic controls.
"These attacks have used novel C2 methods, including over Gmail Calendar, Solana blockchain, and Discord - all of which are unlikely to have legitimate use in enterprise. Additionally, they often use legitimate SOCKS proxy tools. All of these can be detected and blocked with good security hygiene of ‘deny all, permit by exception.’ In the case of the SOCKS proxy tools, enforcement is usually easiest at the endpoint. In the case of the others, good network security controls will limit those.” Jake Williams, IANS Faculty.
Webworm’s use of both trusted services and loosely controlled tools highlights how attackers can blend malicious activity into normal traffic when organizations lack strong application controls.
"Attackers ‘living off the land’ is a very common technique, where they use legitimate tools rather than malware to achieve their objectives. While this is often done with tools on a compromised systems, this can also apply to other legitimate systems in place. For example, in an organization where there is already a lot of traffic to Discord, using Discord as command and control is quite stealthy." Guillaume Ross, IANS Faculty.
To combat these techniques, organizations should strengthen visibility into outbound traffic and monitor for abuse of legitimate services that fall outside normal enterprise behavior.
IANS Faculty Recommendations
- Maintain an allowlist of sanctioned SaaS/collaboration tools: Block everything else at the egress/DNS layer (exception process required, time-bound, and owned). Use protective DNS and proxy URL filtering to enforce this consistently, including for remote users. Blocking and monitoring for violations is your best bet for catching malware early.
- Define “no business use” classes: This includes consumer chat, anonymous file drop, crypto/blockchain services, and default-deny them via DNS categories/proxy rules; treat exceptions like third-party access (documented purpose, approver, expiration).
- Prepare IR plans: Incorporate realistic adversary scenarios into tabletop exercises and incident response plans and ensure teams can act on telemetry quickly (containment and eradication often hinge on fast detection of abnormal outbound communication and persistence signals).
Authors & Contributors
Emily Dempsey, Author, IANS News
Jake Williams, IANS Faculty
Guillaume Ross, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.