Webworm Group Uses Discord for Attacks

A China-aligned hacking group is using Discord and Microsoft's Graph API to control its new backdoors and attack government agencies.

Cybersecurity researchers have identified new activity from Webworm, a threat actor believed to be aligned with China. The group is deploying two custom backdoors, named EchoCreep and GraphWorm, in its latest campaigns. A key feature of these attacks is the use of legitimate, widely-used services for command-and-control (C2) communications. Specifically, the malware uses Discord and the Microsoft Graph API to send and receive commands, allowing the attackers to control compromised systems. This group, first detailed by Symantec in 2022, has a history of targeting government agencies and has been active since at least that year. The latest findings show a continued evolution of their tools and techniques to maintain stealth and persistence within target networks.

This approach of using trusted services for malicious purposes presents a significant challenge for defenders. By routing C2 traffic through platforms like Discord and Microsoft Graph, Webworm makes its activity difficult to distinguish from legitimate network traffic. This "living off the land" technique can bypass traditional security measures that rely on blocking known malicious IP addresses or domains. The focus on government agencies suggests that the group's motives are likely related to espionage and intelligence gathering. For IT and security teams, this highlights the importance of monitoring for unusual API usage and implementing behavioral analysis to detect anomalies, even within traffic to and from trusted cloud services. The development of custom backdoors also indicates a well-resourced and determined adversary capable of creating specialized tools for its operations.

Attackers are increasingly using legitimate services like Discord and Microsoft APIs to hide their malicious activity, making detection much harder for security teams.

The targeting of government agencies suggests a high risk of data theft and espionage, while the techniques used can bypass standard security defenses, putting sensitive information at risk.