Listen to this Post

A New Era of Cyber Espionage Emerges
Cybersecurity researchers have uncovered a disturbing evolution in Chinese cyber-espionage operations. A China-linked advanced persistent threat group known as Webworm is now targeting European government institutions using stealthier and more sophisticated attack methods than previously seen.
The campaign, revealed through research published by ESET, shows how modern cybercriminals are abandoning traditional malware and replacing it with legitimate-looking tools that blend perfectly into normal internet traffic. Instead of relying solely on suspicious malicious software, Webworm has begun abusing trusted platforms such as Discord, Microsoft Graph APIs, GitHub repositories, and cloud infrastructure to hide its operations.
This marks a major shift in the cyberwarfare landscape. Governments across Europe are no longer just fighting ransomware gangs or isolated hacking groups. They are now facing highly organized digital espionage networks capable of quietly infiltrating systems, maintaining long-term access, and extracting intelligence without triggering traditional security alarms.
Webworm Expands Beyond Asia
When Webworm first appeared publicly around 2022, its operations mainly focused on Asian targets. Over time, however, the group quietly expanded its reach toward Europe and Africa.
Researchers identified attacks against government organizations in countries including:
Belgium
Italy
Serbia
Spain
Poland
South Africa
The attacks observed between early 2024 and early 2025 reveal a gradual transformation in Webworm’s tactics. Earlier campaigns depended on well-known malware families such as McRat and Trochilus. These tools, while effective, carried recognizable signatures that cybersecurity defenders could detect more easily.
To solve this problem, Webworm evolved.
Instead of depending entirely on traditional malware, the group shifted toward proxy-based networking tools and stealth communication systems. Researchers found the hackers increasingly relying on SOCKS proxies, VPN tunneling software, and customized proxy frameworks.
One of the key tools used was SoftEther VPN, a legitimate VPN platform that can also be abused to mask malicious activity.
Why Proxy Tools Are So Dangerous
Traditional malware often leaves obvious traces behind. Antivirus software can identify malicious files, strange network behavior, or suspicious traffic patterns.
Proxy tools change the game completely.
These tools act as intermediaries between attackers and victims. Instead of directly connecting to infected systems, hackers route communications through layers of encrypted tunnels and disguised network traffic.
This makes attribution far more difficult.
It also allows attackers to move silently inside networks for extended periods without raising alarms. By using legitimate networking software, Webworm can make malicious traffic appear normal to security systems.
The campaign demonstrates how state-sponsored hacking groups increasingly prefer “living off the land” strategies. That means using trusted applications, normal cloud services, and common administrative tools rather than noisy malware payloads.
Discord Becomes a Weapon
Perhaps the most shocking discovery involves a newly identified backdoor called EchoCreep.
EchoCreep transforms Discord into a covert command-and-control infrastructure. Instead of communicating with suspicious hacker servers, infected systems quietly send information through Discord’s APIs.
Researchers discovered that EchoCreep could:
Upload stolen files
Receive attacker commands
Send runtime reports
Pass hidden communications through crafted HTTP requests
Different Discord servers were reportedly assigned to different victims, allowing attackers to isolate operations and avoid large-scale detection.
This is an alarming development because Discord traffic is generally trusted inside many organizations. Blocking it outright is often difficult, especially when employees legitimately use the platform for communication or collaboration.
Cybersecurity experts have warned for years that attackers would eventually weaponize mainstream communication platforms. Webworm appears to be fully embracing that strategy.
Microsoft Graph API Abuse Raises Serious Concerns
The second major tool discovered by researchers is called GraphWorm.
Instead of Discord, this malware abuses the Microsoft Graph API and OneDrive infrastructure for communication.
The malware retrieves instructions from OneDrive endpoints and uploads stolen victim data back to cloud storage systems. Since Microsoft cloud services are deeply integrated into enterprise environments, suspicious activity can easily blend into ordinary network operations.
This creates a nightmare scenario for defenders.
Security teams often trust Microsoft traffic by default. Attackers know this and are increasingly exploiting that trust relationship.
The use of Microsoft Graph APIs also highlights a growing cybersecurity trend where attackers exploit cloud ecosystems rather than attacking endpoints directly.
GitHub and Cloud Infrastructure Play Supporting Roles
Researchers also observed Webworm storing malware tools inside GitHub repositories.
This allows attackers to download malicious payloads directly from a trusted developer platform rather than suspicious domains that security products might automatically block.
Additionally, the group reportedly relied on cloud servers hosted through infrastructure providers like Vultr and IT7 Networks.
Another discovery revealed Webworm retrieving configurations through compromised Amazon S3 buckets using a custom proxy solution known as WormFrp.
This layered infrastructure gives attackers multiple advantages:
Better stealth
Faster deployment
Easier malware updates
Reduced operational risk
Simplified victim management
The overall architecture resembles a professional cloud-based software operation rather than a traditional hacking campaign.
The Initial Infection Method Remains Unclear
One major mystery remains unsolved.
Researchers still do not fully understand how Webworm initially compromises victims.
However, evidence suggests the attackers heavily use open-source vulnerability scanners to identify exposed systems and weak infrastructure.
This strongly indicates exploitation of unpatched vulnerabilities may serve as the initial entry point.
Once inside, the attackers appear focused on persistence, lateral movement, and espionage-oriented intelligence gathering.
According to researchers, the goal may not simply be data theft. Instead, Webworm appears interested in finding deeper “pivot points” within networks to expand access as far as possible.
That behavior aligns closely with state-sponsored intelligence operations rather than financially motivated cybercrime.
What Undercode Say:
China’s Cyber Strategy Is Becoming More Sophisticated
The Webworm campaign reflects something much larger than just another hacking incident. It shows how cyber warfare has evolved into an intelligence-driven shadow conflict where stealth matters more than destruction.
A few years ago, cyberattacks were loud.
Ransomware groups wanted attention. Malware creators wanted panic. Attackers often encrypted files or disrupted operations publicly.
Now the priority is invisibility.
Webworm’s tactics suggest a long-term intelligence collection strategy. The group is not trying to destroy systems. It wants silent access, long-term persistence, and covert surveillance capabilities.
That changes how governments must defend themselves.
Discord and Microsoft Are Becoming Battlefields
The abuse of Discord and Microsoft Graph APIs is not random experimentation.
Attackers understand modern organizations trust cloud ecosystems more than ever before. Security systems often whitelist Microsoft traffic automatically. Communication platforms are deeply integrated into daily workflows.
Hackers know defenders hesitate to block these services.
This creates the perfect camouflage.
The future of cyber espionage will likely revolve around abusing trusted SaaS platforms rather than deploying easily detectable malware binaries.
Today it is Discord and Microsoft Graph.
Tomorrow it could be Slack, Zoom, Google Workspace, Notion, or AI collaboration tools.
Traditional Antivirus Is Losing Relevance
One major implication of this campaign is the declining effectiveness of signature-based defense models.
If attackers stop using obvious malware and instead rely on encrypted tunnels, APIs, and legitimate software, classic antivirus solutions become far less useful.
Cybersecurity teams now need behavioral analysis, identity monitoring, cloud telemetry inspection, and zero-trust architectures.
The battlefield has shifted from files to behavior.
That is a massive challenge for governments still relying on outdated security infrastructure.
Europe Is Becoming a Prime Cyber Target
The targeting of European governments is also politically significant.
Europe increasingly sits at the center of geopolitical tension involving trade wars, AI competition, semiconductor supply chains, NATO coordination, and economic policy.
Cyber espionage campaigns provide strategic advantages without triggering traditional military responses.
Stealing diplomatic intelligence, policy discussions, or infrastructure access can reshape negotiations quietly behind the scenes.
That makes cyber warfare one of the most powerful intelligence weapons of the modern era.
The Use of Cloud Infrastructure Is Genius From an Attacker Perspective
Using GitHub repositories, cloud VPNs, OneDrive, and Amazon S3 buckets is incredibly effective operationally.
Why?
Because blocking those services outright is almost impossible for most organizations.
Attackers no longer need hidden underground infrastructure. They can hide inside mainstream internet traffic and exploit trust relationships already built into enterprise systems.
This dramatically increases operational survivability.
Even if one server gets detected, the attackers can quickly shift to another cloud resource with minimal disruption.
Attribution Will Keep Getting Harder
One overlooked detail is how difficult these tactics make attribution.
When malicious traffic routes through trusted services and VPN chains, identifying the true operator becomes significantly harder.
Nation-state groups benefit enormously from this ambiguity.
Governments may suspect who is responsible, but proving it publicly becomes complicated.
That uncertainty is strategically useful because it weakens diplomatic retaliation.
Cybersecurity Is Entering Its Most Dangerous Phase
The Webworm operation reflects the broader transformation of cyber conflict into silent digital occupation.
The most dangerous cyberattacks are no longer the ones that shut systems down.
The most dangerous ones are the attacks nobody notices for years.
Governments and enterprises still focus heavily on visible threats like ransomware, while espionage-focused actors quietly build persistent footholds deep inside critical infrastructure.
That imbalance could become a major security crisis over the next decade.
Fact Checker Results
✅ Researchers from ESET did publicly report Webworm’s use of Discord and Microsoft Graph APIs for command-and-control operations.
✅ The campaign specifically targeted multiple European government organizations and used proxy tools like SoftEther VPN.
⚠️ Attribution to China is based on threat intelligence analysis and operational indicators, not official public confirmation from the Chinese government.
Prediction
🔮 Cyber espionage groups will increasingly abuse mainstream SaaS platforms instead of relying on traditional malware infrastructure.
🔮 Governments across Europe will likely tighten monitoring of API-based communications and cloud traffic within sensitive networks.
🔮 Future nation-state attacks may become almost indistinguishable from normal enterprise activity, making behavioral AI security systems essential for defense.
▶️ Related Video (86% Match):
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: www.darkreading.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




