TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources ENDPOINT SECURITY THREAT INTELLIGENCE APPLICATION SECURITY CYBER RISK NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific China's Webworm Uses Discord, Microsoft Graphs to Hack EU Govts. The advanced persistent threat group also relied on SOCKS proxies like SoftEther VPN, tunneling tools that act as a middleman between victim and attacker. Alexander Culafi,Senior News Writer,Dark Reading May 22, 2026 4 Min Read SOURCE: TRUE IMAGES VIA ALAMY STOCK PHOTO A China-backed persistent threat actor known as Webworm is targeting governmental organizations across Europe, and it's using unusual command-and-control mechanisms to do so. Security vendor ESET this week published research detailing recent activity surrounding Webworm, a China-aligned APT group first reported on in 2022. Although the group initially began targeting organizations in Asia, ESET's Eric Howard wrote that the threat actor has shifted its focus to Europe, including governmental organizations in Belgium, Italy, Serbia, Spain, and Poland. Additional additional activity in South Africa has also been detected. The research predominantly covers Webworm's activities between early 2024 and early 2025, as well as how its tactics, techniques, and procedures (TTPs) have evolved since 2022. The threat actor originally relied on well-known malware families like McRat and Trochilus, though it has more recently pivoted toward existing and custom proxy tools. In these cases, which were mainly observed in 2024, Webworm relied on "legitimate or semi-legitimate tools, such as SOCKS proxies (SoftEther VPN) and other networking solutions." Related:Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia The downside to a lot of conventional, well-known malware is that it generally has signatures, artifacts, and traffic patterns that are easy for defenders to detect. But proxy tools are network tunneling tools that act as a middleman between victim and attacker. These are often more manual and require the attacker to bring their own tooling and are generally much stealthier than the typical backdoor. In 2025, however, Webworm introduced two new backdoors to its repertoire. One is EchoCreep, which uses the popular chat application Discord to facilitate command and control (C2). The other is GraphWorm, which relies on the Microsoft Graph API for C2. ESET also observed Webworm staging malware and tools in GitHub repositories so the attackers can easily download malware onto the victim's machine. Webworm's Discord and Microsoft Graph C2 LOADING... Webworm continues the trend of threat actors using novel approaches to facilitate C2. Creative C2 approaches seen over the last year or two include Google Calendar and the Solana blockchain. ESET made its attribution based on its work decrypting Discord messages used by EchoCreep for C2, which ultimately led to a GitHub repository and the discovery of an IP address that matches a "known Webworm IP," Howard wrote. The research mainly covers Webworm's 2025 activities, when it apparently abandoned Trochilus and McRat in favor of the new backdoors. The Chinese APT continues to use proxy solutions for encrypting communications as well as to support chaining between hosts internally and externally to a network. These proxy solutions include port forwarding and proxy tool iox as well as custom tools ChainWorm, SmuxProxy, WormFrp, and WormSocket. Related:FCC Softens Ban on Foreign-Made Routers "We believe that the operators use these tools in conjunction with SoftEther VPN to better cover their tracks and increase the stealth of their activities," the blog post read. "All Webworm proxies and VPN services are cloud servers that belong to network infrastructure controlled by Vultr and IT7 Networks. Based on the number of proxy tools and their complexities, Webworm may be creating a much larger hidden network by tricking victims into running its proxies." As for the new backdoors, ESET found based on analyzing 400 Discord messages that EchoCreep uses the chat service to upload files, send runtime reports, and receive commands. Webworm also uses crafted HTTP requests to pass network communications through Discord's API. For GraphWorm, the threat actor relies on OneDrive endpoints to get new jobs and upload victim information. Different Discord servers are used for each EchoCreep victim, and similarly a different OneDrive directory for each GraphWorm victim. Related:VoidStealer Malware Darts Past Google Chrome's Encryption Separately, the blog post noted that the threat actor "had started using its custom proxy solution WormFrp to retrieve configurations from a compromised Amazon S3 bucket," further showing Webworm's continuous commitment to evolving its techniques. How Organizations Can Get in Front of Webworm The initial access vector (as well as much of the attack chain) remains unclear, though Howard noted Webworm uses open source vulnerability scanners to scrape web server files and directories for bugs in a target's network. This means that Webworm possibly targeted victims through vulnerabilities in their environment and deployed the backdoors post-compromise. ESET's blog post contains indicators of compromise. In an email, Howard tells Dark Reading that although he can't speak to what China is looking for from Europe or these victim environments, Webworm appears to be searching for pivot points or points of initial access to burrow "as far in as possible for the purposes of performing espionage." As for what European organizations can do, the ESET researcher makes two suggestions. One, as vulnerability discovery appears to be a key focus for Webworm, orgs should keep systems patched and limit the exposure of assets. Two, they should review communication activities from non-standard processes and applications to endpoints like Discord, Microsoft Graph, or S3. "Organizations should also be cognizant of data transfers to the same endpoints," he says, "especially when considering if it's not a part of the standard workflow." Read more about: Europe About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Cybersecurity for Resource-Constrained Organizations AI-Powered Credential Security: Intelligence Without Exposure How Security Teams should apply Threat Intelligence into their Defenses More Webinars You May Also Like ENDPOINT SECURITY 2 Separate Campaigns Probe Corporate LLMs for Secrets by Elizabeth Montalbano, Contributing Writer JAN 12, 2026 ENDPOINT SECURITY Pro-Russian Hackers Use Linux VMs to Hide in Windows by Alexander Culafi NOV 04, 2025 ENDPOINT SECURITY Chrome Store Features Extension Poisoned With Sophisticated Spyware by Elizabeth Montalbano, Contributing Writer JUL 07, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year r