Webworm hides C2 traffic in Discord and Microsoft OneDrive
top of page
Search

Webworm hides C2 traffic in Discord and Microsoft OneDrive

  • 4 hours ago
  • 7 min read

Webworm OneDrive

Webworm, a China-aligned APT group, is hiding command-and-control traffic inside Discord channels and Microsoft OneDrive folders to steal data from European governments. The campaign matters to businesses because every minute Webworm operates, its traffic looks like normal SaaS activity. Standard egress controls and EDR rarely flag it.


What ESET found in the Webworm 2025 campaign


ESET researcher Eric Howard published findings on May 20, 2026 detailing fresh activity from Webworm, a China-aligned advanced persistent threat (APT) group active since at least 2022. The group has added two new backdoors to its toolkit — EchoCreep and GraphWorm — and shifted from targeting Russia and Mongolia toward governmental organizations in Belgium, Italy, Poland, Serbia, Spain, and South Africa.


Webworm was first publicly documented by Broadcom-owned Symantec in September 2022. ESET reports the group has now abandoned older remote access tools like Trochilus RAT and 9002 RAT (also called McRat). In their place sit two stealthier backdoors and four custom proxy utilities: WormFrp, ChainWorm, SmuxProxy, and WormSocket.


The numbers from the investigation matter. ESET decrypted 433 Discord messages tied to one of the backdoors and recovered a bash history file showing reconnaissance commands run against more than 50 unique targets. The first confirmed victim compromise traced through Discord activity dates to April 9, 2025.

"In 2025, Webworm also added two new backdoors to its toolset: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose," wrote ESET researcher Eric Howard in the published analysis.


The group also overlaps with three other tracked Chinese clusters — FishMonger (also known as Aquatic Panda), SixLittleMonkeys, and Space Pirates — which gives Western defenders a long-running threat-actor profile to work from. This is a four-year-old espionage operation that just changed its plumbing.


How does EchoCreep use Discord as a command channel?


EchoCreep is a Go-based backdoor that turns Discord into a remote command system for the attacker. Each victim gets a dedicated Discord channel where the operator sends commands as text messages and receives stolen files as attachments. The backdoor encrypts the messages with AES, encodes them in base64, and routes the traffic through Discord's normal API. To a firewall watching outbound traffic, this looks like a regular Discord client.


ESET found four unique Discord channels in the campaign, each named after a victim's IP address or hostname, suggesting four confirmed victims at the time of the report. Channels were created before the backdoor was even deployed, which means Webworm operators had pre-staged infrastructure based on knowledge of their targets.


EchoCreep itself is small in capability — it supports four commands: upload files to Discord, download files from a URL, run a command inside cmd.exe, and sleep. That minimalism is the point. The backdoor does not need to be sophisticated when the C2 plumbing is hidden inside a service that nearly every enterprise allows through its perimeter.


ESET's Robert Lipovsky told Infosecurity Magazine that Discord as a backdoor channel is not the first occurrence but is not very common either. That is changing. Discord now sits alongside Telegram and Pastebin as the cloud services attackers are turning to because they blend with normal user activity.


How does GraphWorm use Microsoft OneDrive for C2?


GraphWorm is a more advanced backdoor, also written in Go, that hides C2 inside Microsoft Graph API calls — the same API your Microsoft 365 tenant uses for everything from email to OneDrive. Each victim gets a unique OneDrive folder, with subfolders named /job, /result, and /files, that GraphWorm reads from and writes to. The operator drops commands into /job. The backdoor runs them and writes results into /result.


This means GraphWorm's outbound traffic terminates at graph.microsoft.com over HTTPS — an endpoint sitting on every enterprise allowlist. The backdoor supports a richer command set than EchoCreep, including spawning new cmd.exe sessions, executing arbitrary processes, uploading staged files via the Microsoft Graph /createUploadSession endpoint for large exfiltration, and stopping itself on operator command.


The exfiltrated data from this campaign was not theoretical. ESET reports that Webworm has used a compromised Amazon S3 bucket to stage configuration files and stolen artifacts, including virtual machine snapshots from a governmental entity in Italy and mRemoteNG remote connection configurations plus a Microsoft Visio infrastructure diagram from a governmental entity in Spain. The mRemoteNG file alone gives an attacker an inventory of remote access into the victim's environment.


Network defenders need to absorb the pattern. When an attacker stores its commands inside your own OneDrive tenant — or a Discord server it controls — the C2 channel is functionally invisible to traditional network security tools. The detection has to happen at the identity, behavior, and endpoint layers, not the network egress layer.


Why does this matter to mid-market and government businesses?


The Webworm campaign matters to any business that allows employees to use SaaS tools like OneDrive, Microsoft Teams, Discord, Slack, or Google Drive — which is nearly all of them. The technique of using a legitimate cloud service as a C2 channel is sometimes called "living off trusted services," and it has been climbing in frequency across both nation-state and commodity threat groups.


The business consequences are concrete. First, traditional egress firewalls and DNS filters cannot block Microsoft Graph or Discord without breaking productivity. Second, EDR tools see a legitimate Microsoft-signed process or a legitimate Discord client making expected API calls, so behavioral detection is harder. Third, when stolen data is staged inside the victim's own cloud tenant, data-loss-prevention tools struggle because the data never crosses the corporate boundary in a visible way.


The mid-market exposure here is sharper than it looks. A mid-market manufacturer, healthcare network, or law firm using Microsoft 365 has the same Microsoft Graph API surface area as a European government — and usually less monitoring on top of it. A fractional CISO working on Microsoft 365 risk should already be asking which non-human identities have Graph API permissions, what those tokens can access, and how anomalies in OneDrive activity would be detected.


The Symantec disclosure in September 2022 framed Webworm as an Asia-Pacific problem. Four years later it is not. With governmental targets confirmed across Belgium, Italy, Poland, Serbia, and Spain, the attack model is now active against organizations that look operationally similar to a typical American mid-market business.


What should businesses do about SaaS-based C2 channels?


The Webworm campaign is a stealth-C2 story, not a vulnerability story. The right response is not patching — it is rebuilding detection and monitoring around the assumption that attackers are using your own SaaS stack against you. A few priorities for the next thirty days, in order:


First, inventory which identities — human and service principal — have Microsoft Graph API permissions in your tenant, what scopes those tokens hold, and when they last authenticated from unexpected locations. The Microsoft Entra audit logs and sign-in logs are the foundation here. Most mid-market firms have never run that exercise, and it often surfaces as part of a broader risk assessment.

Second, baseline normal OneDrive and SharePoint activity. Webworm's GraphWorm creates new folders per victim and writes encrypted blobs into them. That pattern is detectable as unusual file-creation behavior in the Microsoft 365 unified audit logs — if you are looking. Defender for Cloud Apps and behavioral analytics in Microsoft Sentinel can flag this kind of activity.


Third, treat Discord, Telegram, and other consumer messaging platforms on corporate endpoints as the risks they are. For most regulated mid-market businesses, the right answer is blocking unsanctioned messaging applications at the endpoint layer, not the network. Where Discord is genuinely needed for community management or marketing, restrict it to specific users on monitored devices.


Fourth, run a tabletop exercise on a stealth-C2 scenario. The question is not "could we detect malware reaching out to a known bad IP?" The question is "if an attacker is staging data in our own OneDrive tenant, how would we know?" A vCISO or fractional CISO can run this exercise in a half-day. The answer is usually uncomfortable and useful.


At Purple Shield Security, the cloud security consulting work we do for Microsoft 365 and AWS-heavy clients tends to surface this exact gap. Identity-layer detection, Graph permissions hygiene, and SaaS-layer monitoring are now where most incident-response work for mid-market firms starts.


Frequently asked questions


Is my company a target if we are not a government entity?

ESET confirmed Webworm victims across governmental organizations and a university in five European countries and South Africa. The technique is portable, though. Any business using Microsoft 365 or allowing Discord on corporate endpoints has the same C2 surface area that Webworm is exploiting. Mid-market firms in defense supply chain, IT services, energy, and law are most exposed because they tend to hold the kind of intellectual property nation-state groups are interested in.


Can my firewall block Discord and OneDrive to prevent this?

Not realistically. Blocking Microsoft Graph (graph.microsoft.com) would break Microsoft 365 entirely. Blocking Discord on the network is possible but easily bypassed on personal devices and home networks, and it does not address the GraphWorm OneDrive variant at all. The control surface for this risk is identity, endpoint, and behavior — not network egress.


How would we know if GraphWorm was running in our environment?

Indicators include unusual OneDrive folder creation by non-human or service identities, large outbound /createUploadSession traffic from endpoints that do not normally push files, encrypted blobs in OneDrive with no clear business purpose, and registry Run-key modifications referencing unknown binaries. The Microsoft 365 unified audit log, Defender for Endpoint, and Microsoft Sentinel queries can all be tuned for this pattern. ESET has also published indicators of compromise (IoCs) and SHA-1 hashes in its public malware-ioc GitHub repository.


Should we report this to CISA or law enforcement if we find it?

For US-based companies, yes — CISA's incident reporting page is the entry point, and the FBI's IC3 portal handles federal cybercrime reporting. For regulated industries, breach notification obligations under HIPAA, GLBA, the SEC cybersecurity disclosure rule, and applicable state laws may also apply. A vCISO or fractional CISO running incident response should be making the legal-counsel call within the first 24 hours of confirmation.


Talk it through


If your team has not run a stealth-C2 scenario through a tabletop exercise in the last six months, the Webworm campaign is a useful prompt. Purple Shield Security helps small and mid-market and regulated businesses think through cloud security, identity-layer detection, and Microsoft 365 risk in plain executive language. If you want a second set of eyes on whether your environment would see this kind of intrusion, that is a conversation worth having.


By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: May 20, 2026

Last updated: May 20, 2026

 
 
bottom of page