A China Linked Group Just Spent Two Years Running Its Malware Through Discord and Microsoft OneDrive—Because There Is No Suspicious Domain to Block When the C2 Is Microsoft's Own API

What Happened

On May 20, 2026, The Hacker News reported new research on Webworm, a China aligned threat group active since at least 2022, that has spent the past two years quietly exfiltrating data through two of the most heavily trusted services on the modern internet: Discord and Microsoft Graph API.

Researchers attribute two new backdoors to the group. EchoCreep, a custom remote access tool, uses Discord's API as its command channel. GraphWorm, a more advanced backdoor, talks to Microsoft Graph and stages files in Microsoft OneDrive. Analysis of one Discord channel showed 433 total command messages dating back to March 21, 2024—more than a year of undetected operation.

Webworm's targets in 2026 include IT services, aerospace, and electric power firms in Russia, Georgia, Mongolia, and several Asian nations. The group has since expanded into Belgium, Italy, Serbia, Poland, Spain, and a South African university. The group overlaps with clusters tracked as FishMonger (Aquatic Panda), SixLittleMonkeys, and Space Pirates.

Why Discord and Microsoft Graph Are Perfect C2 Channels

The classical way to detect malware is to inspect network traffic for connections to known-bad domains or unusual destinations. Discord and Microsoft Graph defeat this approach by design. Discord's API is reachable from every corporate network where employees use Discord—an enormous footprint that grew during the pandemic. Microsoft Graph is the central API for Microsoft 365: any laptop with Outlook, OneDrive, Teams, or SharePoint speaks Graph constantly throughout the workday.

From a network defender's perspective, traffic to discord.com or graph.microsoft.com is indistinguishable from normal use. The TLS handshake is valid. The certificate is from the real vendor. The traffic patterns mimic what any employee with a Discord account or a OneDrive folder generates daily. Blocking either platform at the firewall would break legitimate business activity at most organizations.

Webworm picked these platforms for the same reason ransomware operators have been moving to cloud.google.com and github.io: hiding in legitimate infrastructure is now the default operational choice.

EchoCreep: Discord as a Command Line

EchoCreep is, by published descriptions, an ordinary remote-access backdoor with an extraordinary command channel. It supports file upload and download. It runs commands via cmd.exe. It can capture files from the infected host and ship them out. What makes it interesting is that all of these commands arrive through Discord messages posted to a private channel controlled by the operators.

When an operator wants the malware to do something, they post a message in the channel. The malware, polling the channel via Discord's bot API on an interval, parses the message and executes the command. Output is uploaded back as a Discord file attachment. The whole exchange looks—to a network monitor—like an employee scrolling through Discord on their lunch break.

The earliest message in the recovered channel dates to March 21, 2024. The total of 433 messages over fourteen months is not industrial-scale activity; it is targeted, patient work. Each command corresponds to an action against a specific victim.

GraphWorm: OneDrive as a Dead Drop

GraphWorm is the more sophisticated of the two. It uses Microsoft Graph API—the same API Outlook, OneDrive, and Teams use—to maintain a covert channel. Files uploaded to a specific OneDrive folder act as commands. Files dropped back into the same folder by GraphWorm act as exfiltrated data. Everything moves through Microsoft's own cloud infrastructure.

The backdoor's documented capabilities include spawning new cmd.exe sessions, executing arbitrary processes, uploading and downloading files to and from OneDrive, and a clean shutdown command that stops execution when the operator decides the access is done. The persistence is straightforward. The traffic is invisible.

Detecting GraphWorm requires either OAuth token monitoring (looking for tokens issued to unusual applications) or behavioral analysis at the OneDrive level (looking for activity from accounts that should not have any). Both are possible. Both are absent at most organizations.

The Target List Tells the Geopolitical Story

Webworm's original target set—Russia, Georgia, Mongolia, plus other Asian nations—is consistent with the intelligence priorities of a state aligned with China's strategic interests in its near abroad. The expansion into Europe is recent and notable. Italy, Belgium, Poland, Serbia, and Spain are each individually significant intelligence targets for reasons that vary by country: NATO infrastructure, EU politics, Western Balkans diplomacy, defense industry.

The sectors Webworm prefers—IT services, aerospace, electric power—are classic intellectual-property and strategic-infrastructure targets. The South African university addition is harder to fit neatly; researcher Sylvester Marvogenes told The Hacker News it suggests Webworm is also collecting information on academic research collaborations.

For journalists or activists tracking China linked threat groups, Webworm fits a pattern visible across Gridtide, Gopher Whisper, and several other clusters: legitimate cloud infrastructure replacing custom C2 servers, low message volume, long-haul access, no rush.

The Infrastructure: A Poisoned WordPress Theme and Custom Proxies

Webworm's staging infrastructure includes a compromised GitHub repository that impersonates the WordPress project, used to host secondary payloads. The group also operates a SoftEther VPN backbone alongside several custom proxy tools the researchers named WormFrp, ChainWorm, SmuxProxy, and WormSocket. These tools mask the operator's true location, hop traffic through multiple cloud providers, and make attribution harder than it should be.

SoftEther is a legitimate, widely used VPN protocol with a long history in academic and open source deployments. As with Discord and Microsoft Graph, Webworm's use of SoftEther is hard to flag because plenty of legitimate users are doing the same thing.

What Defenders Should Do

• Audit OAuth grants in Microsoft 365. Get-AzureADServicePrincipalOAuth2PermissionGrant lists every application that has been granted Graph API access. Anything you do not recognize—especially anything granted by users rather than administrators—gets revoked.
• Block Discord at the gateway in environments where it has no business purpose. If your developers do not need Discord for work, your IT estate does not need to allow connections to it.
• Monitor for unusual Microsoft Graph API patterns. Microsoft 365 Defender, Mimecast, and Vectra AI all have rules for "Graph API access from non-standard application client IDs."
• Hunt for the known Webworm hashes. The Hacker News and the original research blog publish full IOC lists including binary hashes, file paths, and registry persistence patterns.
• Disable cmd.exe spawning from Microsoft Office applications. The classic Office attack chain rides on Office spawning cmd; Microsoft's Attack Surface Reduction rules can shut this down without breaking legitimate workflows.

Why This Matters for Email and Journalist Targets

GraphWorm's choice of Microsoft Graph as a C2 is consequential for anyone covering China linked espionage. Microsoft 365 mailboxes are inside the same Graph that GraphWorm rides. Once a tenant has been compromised at the OAuth application layer, reading the target's email is not a separate attack—it is an additional Graph call against the same trusted endpoint. Journalists, NGO staff, and academic researchers working on China-relevant topics should treat any Microsoft 365 mailbox as part of their threat model and use end to end encrypted alternatives for high-sensitivity correspondence.

Webworm has been operating for two years inside infrastructure most organizations consider too important to block. That is not a temporary detection failure; it is the operational logic of modern state aligned threat groups. The next two years will see more of this, not less.