Webworm Uses Discord and MS Graph API for Cyber Attacks

Cybersecurity researchers have identified new activities from the China-associated threat actor Webworm, which is deploying custom backdoors in 2025. These backdoors utilize Discord and the Microsoft Graph API for communication in Command-and-Control (C2) operations. Webworm was first publicly documented by Symantec, a subsidiary of Broadcom, in September 2022 and has been actively monitored since at least 2022. The current attacks primarily target government agencies, indicating a strategic focus of the actor. The use of Discord as a communication channel is particularly noteworthy, as this platform is typically used for social interactions.

The researchers emphasize that the choice of this platform complicates the detection of the attacks, as it is generally not associated with malicious activities. The backdoors implemented by Webworm are specifically designed to infiltrate existing systems and operate unnoticed. Utilizing the Microsoft Graph API allows the attackers to access a variety of Microsoft services, increasing the reach and effectiveness of their attacks. This technique could enable Webworm to exfiltrate data or install additional malware. The security situation is exacerbated by the fact that Webworm has successfully conducted attacks on various government entities in the past.

Researchers have found that the group possesses significant technical capabilities that allow it to continuously refine its attacks. The threat posed by Webworm is assessed as high, especially considering the geopolitical tensions. Another aspect of the attacks is the use of social engineering techniques to trick users into clicking malicious links or downloading harmful software. These tactics are designed to circumvent the security measures of the targeted organizations. The researchers warn that such methods, combined with Webworm's technical capabilities, could pose a serious threat to national security.

Responding to this threat requires enhanced collaboration between security agencies and the affected organizations. Experts recommend that government agencies review and update their security protocols to better prepare against such attacks. Implementing layered security measures could help minimize risks. The discovery of these new attacks has also reignited the discussion about the need for training for employees in government agencies. Awareness training could help reduce the likelihood of employees falling victim to social engineering attacks.

Researchers emphasize that the human component often represents the weakest link in the security architecture. The activities of Webworm are part of a larger trend where state-sponsored actors increasingly utilize modern communication tools to achieve their objectives. The combination of technical sophistication and psychological manipulation techniques presents a significant challenge for cybersecurity. Researchers advise closely monitoring developments in this area. The security gap exploited by Webworm could have far-reaching consequences.

Researchers estimate that the attacks could potentially affect thousands of systems worldwide. The exact number of affected systems is currently being determined, as investigations are still ongoing. The threat posed by Webworm underscores the necessity of taking proactive cybersecurity measures. Researchers recommend that organizations regularly review and adjust their security infrastructure to counter new threats.

Continuous monitoring and analysis of cyber threats remain crucial for timely responses to attacks. Security agencies have already begun collecting and evaluating information on Webworm's activities. A report on the latest developments is expected in the coming weeks to inform the public and affected organizations about the risks. Researchers emphasize that collaboration among various stakeholders in the cybersecurity landscape is essential to effectively combat the threat posed by Webworm.