Webworm's New Backdoors Run on Discord and Microsoft OneDrive — and the China-Aligned APT Has Pivoted to Five European Governments

Webworm has operationalized legitimate cloud platforms as its entire command-and-control infrastructure — Discord for one backdoor, Microsoft Graph and OneDrive for another, a compromised AWS S3 bucket for proxy configuration. A defender watching for 'malicious infrastructure' sees only traffic to Discord, Microsoft, and Amazon. For a China-aligned APT that has just pivoted to five European governments, the detection problem is the story.

BRATISLAVA, SLOVAKIA — On May 20, 2026, ESET published research documenting the 2025 activity of Webworm, a China-aligned APT group that has shifted its focus from Asian targets to European governments. ESET observed Webworm compromising government organizations in Belgium, Italy, Poland, Serbia, and Spain, and separately breaching a university in South Africa. The campaign's centerpiece is two newly documented backdoors: EchoCreep, which abuses Discord to upload files, send runtime reports, and receive commands; and GraphWorm, which abuses the Microsoft Graph API — using OneDrive endpoints exclusively — for command-and-control. ESET researchers decrypted more than 400 Discord messages and recovered a bash history file from an attacker-operated server, exposing reconnaissance commands run against more than 50 unique targets. Webworm has also expanded its proxy toolkit with custom solutions named WormFrp, ChainWorm, SmuxProxy, and WormSocket, and was observed using WormFrp to retrieve configurations from a compromised AWS S3 bucket — letting it exfiltrate data while an unsuspecting victim foots the cloud bill.

What Happened

EchoCreep and GraphWorm: Two Backdoors, Two Trusted Clouds

The core of ESET's research is two newly documented backdoors, and what makes them notable is where their command-and-control traffic goes. EchoCreep uses Discord — the consumer chat platform — to upload files, send runtime reports back to its operators, and receive commands. GraphWorm uses the Microsoft Graph API, and does so through OneDrive endpoints exclusively, retrieving new jobs and uploading victim information through the same API surface that legitimate Microsoft 365 tooling uses every minute of every day. Neither backdoor talks to attacker-owned infrastructure. Both route their traffic through services that sit on essentially every enterprise allowlist on earth.

The Pivot From Asia to European Governments

Webworm has historically targeted organizations in Asia. ESET's 2025 analysis documents a deliberate shift: the group compromised government organizations in Belgium, Italy, Poland, Serbia, and Spain, and separately breached a university in South Africa. ESET attributes the activity to a China-aligned group — a phrasing worth preserving precisely, because 'China-aligned' is an alignment assessment, not a formal government attribution. The initial-access vector for the European government compromises has not been publicly detailed, and as of disclosure none of the five named governments had publicly confirmed a compromise. What is documented is the targeting pattern, and it places Webworm squarely inside the broader 2026 wave of China-aligned operations against European public-sector infrastructure.

The Investigation: 400 Decrypted Messages and a Recovered Bash History

ESET's visibility into Webworm is unusually deep. Researchers decrypted more than 400 Discord messages from an attacker-operated server and recovered a bash history file from one of the operators' own servers. That bash history contained reconnaissance commands run against more than 50 unique targets — an operational artifact that turns an inferred campaign into a documented one. The recovered material also exposed Webworm's expanded proxy toolkit: four custom-built proxy solutions named WormFrp, ChainWorm, SmuxProxy, and WormSocket. ESET observed WormFrp retrieving its configuration from a compromised AWS S3 bucket — which means Webworm was not only hiding inside trusted cloud traffic but exfiltrating through infrastructure an unwitting third party was paying for.

Scope and Impact

The detection challenge is the entire point. Webworm has built its command-and-control stack on Discord, Microsoft Graph and OneDrive, and AWS S3 — three of the most trusted, most universally allowlisted services in any enterprise network. A defender running a traditional 'block known-malicious infrastructure' program sees nothing wrong, because there is no malicious infrastructure to block. There is only traffic to Discord, Microsoft, and Amazon. This is the same tradecraft The CyberSignal has tracked across UNC6692's abuse of Microsoft Teams to pose as IT support and the broader nation-state move toward legitimate-service abuse. Against an actor operating this way, the detection question is no longer 'where is the traffic going' but 'which process is generating it, and is that expected.'

Webworm's pivot also has a strategic reading. The group is one more data point in a sustained pattern of China-aligned operations against European public-sector targets — a pattern that includes the China-linked Shadow-Earth-053 group found lurking in critical networks across Poland and Asian nations and Trend Micro's confirmation that the same group targets journalists and civil-society activists alongside governments and one NATO member state. Poland in particular appears repeatedly: it is among Webworm's five named government victims, and its own intelligence service broke a twelve-year public silence in May to warn that hackers had reached five municipal water-treatment plants. The throughline The CyberSignal has documented — most directly in the UK NCSC's 'perfect storm' assessment naming China as the most prolific driver of supply-chain infiltration — is that European government networks are now under continuous, multi-actor state-aligned pressure.

Response and Attribution

For government and public-sector defenders, ESET's research converts into specific hunts. GraphWorm can be hunted by auditing Microsoft Graph API access patterns for anomalous OneDrive endpoint traffic originating from non-user-driven processes — GraphWorm uses OneDrive exclusively, so a baseline of legitimate Graph usage makes its traffic stand out. EchoCreep can be hunted by monitoring for Discord API and CDN traffic from servers and non-user endpoints; Discord traffic from a domain controller or a government workstation with no business reason to reach Discord is a high-fidelity signal. AWS S3 access logs should be reviewed for unexpected external reads, and organizations should check whether their own S3 buckets are being used as third-party command-and-control infrastructure. Defenders should ingest ESET's published indicators — EchoCreep and GraphWorm hashes, Discord server identifiers, and the WormFrp, ChainWorm, SmuxProxy, and WormSocket proxy signatures — and sweep at least twelve months of historical telemetry.

The architectural lesson runs deeper than any single hunt. 'Allow Microsoft, allow Discord, allow AWS' is no longer a safe egress default for high-value environments. Network and cloud security architects should treat cloud-service abuse as a first-class threat: implement Microsoft Graph API conditional-access and scope restrictions, because GraphWorm depends on broad Graph access; build behavioral allowlists for which processes are permitted to reach trusted clouds; and treat Discord as a command-and-control channel in the threat model, because many enterprises do not monitor Discord traffic at all. For threat-intelligence and policy teams, Webworm's pivot is a signal to raise the group to active-tracking status if their organization supports EU government or public-sector clients — and a reason to engage Microsoft, Discord, and Amazon on the abuse-detection obligations that come with operating platforms now routinely used as attacker infrastructure.

The CyberSignal Analysis

Signal 01 — 'Block Malicious Infrastructure' Is Obsolete Tradecraft Against This Actor

For two decades, network defense has leaned on the idea that malicious traffic goes to identifiably malicious places — and that blocklisting those destinations buys real protection. Webworm breaks that model cleanly. Its entire C2 stack runs on Discord, Microsoft Graph and OneDrive, and AWS S3. There is no malicious domain to block, no attacker-owned IP to sinkhole. The only viable detection is behavioral: baselining which processes on which hosts are permitted to talk to trusted cloud services, and treating deviations as incidents. SOC and threat-hunting teams should internalize that the question has shifted from 'is this destination bad' to 'is this process supposed to be talking to this cloud at all.' Organizations that have not built that behavioral baseline have a genuine blind spot against Webworm-class actors.

Signal 02 — The Victim Pays the Cloud Bill

One detail in ESET's research deserves to be sat with. Webworm used WormFrp to pull its proxy configuration from a compromised AWS S3 bucket — meaning the group's infrastructure was, in part, running on storage that an unsuspecting third party was being billed for. This is more than a curiosity. It means the cost, the logs, and the nominal ownership of part of the attacker's operation belong to an innocent organization that may not know it has been drawn in. Every organization should monitor its own S3 buckets, and any comparable cloud storage, for use as someone else's command-and-control or staging infrastructure. A bucket with unexplained external reads is not just a data-exposure problem; it may be an active component of a nation-state campaign.

Signal 03 — Webworm Is Corroborating Evidence of Sustained Pressure on European Governments

Webworm should not be read in isolation. It is one actor in a documented, multi-actor pattern of state-aligned operations against European public-sector infrastructure. Paired with the Shadow-Earth-053 intrusions across Poland and Asia and the UK NCSC's assessment naming China as the most prolific supply-chain infiltrator, Webworm strengthens the case that European government networks face continuous, well-resourced espionage pressure rather than episodic attacks. CISOs and policy teams supporting EU member-state governments should fold Webworm into board and regulator briefings as part of that larger picture — and should treat the legitimate-cloud-abuse pattern as a policy problem as much as a technical one, because the platforms being abused are the same ones every organization depends on.

Sources