A China-aligned cyber espionage group known as Webworm is deploying custom backdoors that route command-and-control traffic through Discord and Microsoft Graph API, marking a significant escalation in how advanced persistent threats abuse sanctioned platforms to evade detection.
Webworm, first documented by Broadcom-owned Symantec in September 2022, has been active since at least that year with government agencies among its primary targets. The group's latest campaigns, observed throughout 2025, introduce two modular payloads—EchoCreep and GraphWorm—designed to blend malicious communications with legitimate enterprise and consumer traffic.
How the Backdoors Operate
EchoCreep and GraphWorm share a common objective: hiding in plain sight by abusing platforms that organizations routinely permit through their network perimeters. EchoCreep channels C2 traffic through Discord's messaging infrastructure, while GraphWorm leverages Microsoft Graph API endpoints native to Microsoft 365 environments. Both approaches neutralize conventional firewall rules and signature-based detection, since the traffic originates from domains and services that security teams have no practical reason to block.
The malware families feature modular architectures that allow operators to update capabilities dynamically after compromise. Advanced obfuscation techniques, including polymorphic code generation and domain fronting, complicate static analysis and signature development. Initial access typically relies on stolen credentials and OAuth tokens, reinforcing phishing and credential theft as the primary entry vectors for cloud exploitation.
Implications for M365 Hardening
GraphWorm's abuse of the Graph API presents a particular challenge for organizations running Microsoft 365 at scale. The API provides programmatic access to M365 data across Exchange Online, SharePoint, OneDrive, and Azure Active Directory—meaning a compromised token can grant broad data access without triggering conventional intrusion alerts.
Security teams should prioritize these hardening measures:
- Audit OAuth application permissions regularly, revoking unused or overly broad consents and enforcing admin consent workflows for new integrations.
- Implement conditional access policies that restrict API access based on device compliance, location, and risk signals.
- Deploy Cloud Access Security Brokers (CASBs) to establish behavioral baselines for API usage and flag anomalous data access patterns.
- Enable advanced audit logging for Microsoft Graph activity and route logs into SIEM platforms for continuous monitoring.
Attribution Challenges
Cloud-based attribution remains inherently difficult. Traffic routed through global platforms like Discord and Microsoft Graph can originate from any geography, and infrastructure overlap between legitimate use and malicious activity complicates definitive origin assessment. Organizations should focus on behavioral indicators and access anomalies rather than relying on IP-based or domain-based blocking.
Recommended Defensive Posture
EchoCreep and GraphWorm reinforce the urgency of transitioning from perimeter-centric, signature-driven security models to zero-trust architectures anchored in strict identity governance and continuous API telemetry monitoring. Security and IT leadership should enforce least-privilege access for all service accounts and OAuth tokens, deploy behavioral monitoring through CASB or equivalent platforms, and treat API telemetry as a core input for threat detection.
Incident response playbooks should be updated to prioritize behavioral indicators and access anomalies over traditional IP and domain blocking. Teams should also proactively monitor for vendor-specific indicators of compromise as Microsoft and Discord develop platform-level mitigations.
As of the latest reporting, official response timelines from Microsoft and Discord regarding API abuse mitigation have not been publicly disclosed. Security teams should monitor advisories from both companies and consider integrating emerging detection logic into SOAR playbooks to accelerate containment of similar activity.
與中國有關聯的網絡間諜組織 Webworm 正部署自訂後門程式,透過 Discord 和 Microsoft Graph API 路由 command-and-control 流量,標誌着進階持續性威脅濫用獲准許平台以逃避偵測的手法出現重大升級。
Webworm 最初由 Broadcom 旗下的 Symantec 於 2022 年 9 月記錄,自該年起一直活躍,政府機構是其主要攻擊目標之一。該組織最新的攻擊活動於 2025 年全年被觀察到,引入了兩個模組化 payload——EchoCreep 和 GraphWorm——旨在將惡意通訊混入合法的企業和消費者流量中。
後門程式的運作方式
EchoCreep 和 GraphWorm 具有共同目標:透過濫用組織慣常允許通過網絡邊界的平台,隱藏於眾目睽睽之下。EchoCreep 將 C2 流量透過 Discord 的訊息基礎設施傳輸,而 GraphWorm 則利用 Microsoft 365 環境原生的 Microsoft Graph API 端點。兩種方法均使傳統防火牆規則和基於特徵碼的偵測失效,因為流量來自安全團隊沒有實際理由封鎖的域名和服務。
這些惡意軟件家族採用模組化架構,允許操作者在入侵後動態更新功能。進階混淆技術,包括多態代碼生成和 domain fronting,使靜態分析和特徵碼開發變得複雜。初始訪問通常依賴竊取的憑證和 OAuth token,進一步強化了網絡釣魚和憑證盜竊作為雲端利用的主要入口途徑。
對 M365 安全加固的影響
GraphWorm 濫用 Graph API 對大規模運行 Microsoft 365 的組織構成特殊挑戰。該 API 提供對 M365 數據的程式化訪問,涵蓋 Exchange Online、SharePoint、OneDrive 和 Azure Active Directory——這意味着一個被入侵的 token 可在不觸發傳統入侵警報的情況下授予廣泛的數據訪問權。
安全團隊應優先採取以下加固措施:
- 定期審計 OAuth 應用程式權限,撤銷未使用或過於寬泛的授權,並對新整合實施管理員審批工作流程。
- 實施條件訪問策略,根據設備合規性、位置和風險信號限制 API 訪問。
- 部署 Cloud Access Security Brokers (CASBs),為 API 使用建立行為基線,並標記異常的數據訪問模式。
- 啟用 Microsoft Graph 活動的進階審計日誌,並將日誌路由到 SIEM 平台以進行持續監控。
歸因挑戰
雲端歸因本質上仍然困難。透過 Discord 和 Microsoft Graph 等全球平台路由的流量可源自任何地理位置,而合法使用與惡意活動之間的基礎設施重疊使確切來源評估變得複雜。組織應專注於行為指標和訪問異常,而非依賴基於 IP 或域名的封鎖。
建議的防禦姿態
EchoCreep 和 GraphWorm 再次強調了從以邊界為中心、特徵碼驅動的安全模型轉向以嚴格身份治理和持續 API telemetry 監控為基礎的 zero-trust 架構的迫切性。安全和 IT 領導層應對所有服務帳戶和 OAuth token 實施最小權限訪問,透過 CASB 或同等平台部署行為監控,並將 API telemetry 視為威脅偵測的核心輸入。
事件響應 playbooks 應更新為優先考慮行為指標和訪問異常,而非傳統的 IP 和域名封鎖。團隊還應主動監控供應商特定的 indicators of compromise,因為 Microsoft 和 Discord 正在開發平台級別的緩解措施。
截至最新報告,Microsoft 和 Discord 尚未公開披露有關 API 濫用緩解的官方回應時間表。安全團隊應監控兩家公司的公告,並考慮將新興的偵測邏輯整合到 SOAR playbooks 中,以加速對類似活動的遏制。