A China-backed threat actor known as Webworm is targeting European governmental organizations, utilizing Discord and Microsoft Graphs for command-and-control (C2) operations. Security vendor ESET revealed Webworm's evolution from known malware to novel techniques using SOCKS proxies for stealthy operations. The group has developed two new backdoors: EchoCreep, leveraging Discord, and GraphWorm, utilizing Microsoft Graph API.
Webworm's methods now involve custom tools like WormFrp and others for maintaining covert communications. The research highlights the importance for organizations to patch systems and monitor non-standard communication to mitigate risks.