Webworm Leverages Discord and MS Graph API for C2

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalwaremicrosoft
Webworm Leverages Discord and MS Graph API for C2

The China-aligned threat actor Webworm has resurfaced, employing custom backdoors that utilize Discord and Microsoft Graph API for command-and-control (C2) communications. The Hacker News reports that this activity, observed in early 2025, involves novel malware families dubbed EchoCreep and GraphWorm. Webworm, known since at least 2022, has a history of targeting government agencies, suggesting a continued focus on sensitive entities.

This reliance on legitimate, widely-used services like Discord and Microsoft Graph API for C2 is a well-worn tactic, but its continued effectiveness highlights a persistent challenge for defenders. These platforms are often whitelisted or have less stringent network traffic monitoring, making it harder to detect malicious C2 channels. The use of custom backdoors indicates a sophisticated actor investing in evasion techniques.

Defenders should prioritize scrutinizing network traffic for anomalous API calls to Microsoft Graph and unusual Discord activity, especially from government-related endpoints. Implementing stricter egress filtering and enhancing endpoint detection and response (EDR) capabilities to identify suspicious process behaviors associated with these C2 channels are critical steps.

What This Means For You

  • If your organization, particularly a government agency, uses Microsoft 365 or has employees active on Discord, audit your network logs for unusual API activity or Discord traffic patterns. Escalate alerts for any processes attempting to communicate via these channels without explicit business justification.

Related ATT&CK Techniques

T1071.004 Application Layer Protocol: DNS Command and Control T1102.002 Web Service: Discord Command and Control T1102.003 Web Service: Microsoft Graph API Command and Control

๐Ÿ›ก๏ธ Detection Rules

3 rules ยท 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free โ€” export to any SIEM format via the Intel Bot.

critical T1071.004 Command and Control

Webworm EchoCreep/GraphWorm C2 via Discord API

Sigma YAML โ€” free preview

Source: Shimi's Cyber World ยท License & reuse

โœ“ Sigma ยท Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM โ†’

Indicators of Compromise

IDTypeIndicator
Webworm-2025-Activity Backdoor EchoCreep backdoor
Webworm-2025-Activity Backdoor GraphWorm backdoor
Webworm-2025-Activity Command and Control Discord API for C2 communications
Webworm-2025-Activity Command and Control Microsoft Graph API for C2 communications
Webworm-2025-Activity Threat Actor China-aligned threat actor Webworm

Written by SCW Vulnerability Desk

Take action on this incident
๐Ÿ“ก Monitor symantec.com Free ยท 1 watchlist slot ยท instant alerts on new breaches ๐Ÿ” Threat intel on Symantec All breaches, IOCs & vendor exposure

Related coverage on Symantec

Microsoft Open-Sources RAMPART and Clarity for AI Agent Security

Microsoft has released two new open-source tools, RAMPART and Clarity, designed to enhance the security testing of AI agents during development. According to The Hacker...

threat-intelvulnerabilitymicrosoftai-securitytools
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs

Grafana Breach: Missed Token Rotation After TanStack Supply Chain Attack

BleepingComputer reports that the recent Grafana data breach stemmed from a single GitHub workflow token that was not rotated following the TanStack npm supply-chain attack....

threat-inteldata-breachmalwaretools
/SCW Research /MEDIUM /⚙ 3 Sigma

AI-Powered Attacks Accelerate Mobile App Exploitation

Agentic AI is fundamentally reshaping the mobile application threat landscape, according to a recent report highlighted by SecurityWeek. This advanced AI capability has effectively eliminated...

threat-intelvulnerabilitytools
/SCW Vulnerability Desk /MEDIUM