HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Chinese APT ‘Webworm’ Exploits Discord and Microsoft Graph to Infiltrate EU Government Networks

Webworm, a Chinese state‑sponsored APT, is leveraging Discord for covert command‑and‑control and abusing Microsoft Graph API to harvest data from European government agencies, using SOCKS proxies to mask traffic. The technique expands the attack surface for any vendor that integrates with these services, raising urgent TPRM concerns.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 darkreading.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
darkreading.com

Chinese APT “Webworm” Leverages Discord and Microsoft Graph to Target EU Government Networks

What Happened — The state‑sponsored threat group known as Webworm has been observed using Discord as a covert command‑and‑control (C2) channel and abusing Microsoft Graph API calls to move laterally and exfiltrate data from European government networks. The group also employs SOCKS proxies such as SoftEther VPN to hide its traffic.

Why It Matters for TPRM

  • Attackers are exploiting legitimate SaaS platforms, making detection harder for third‑party risk managers.
  • Government‑grade data can be harvested and later used to compromise downstream suppliers or partners.
  • The use of public‑cloud services for C2 expands the attack surface of any vendor that integrates with those services.

Who Is Affected — Public sector agencies across the EU, including ministries, regulatory bodies, and any contractors that host or process government data.

Recommended Actions

  • Review any third‑party contracts that involve Discord, Microsoft 365, or other SaaS tools for privileged access.
  • Enforce strict API usage monitoring and least‑privilege principles for Microsoft Graph.
  • Deploy network‑level egress filtering to detect unauthorized Discord or proxy traffic.

Technical Notes

  • Attack vector: Abuse of legitimate cloud services (Discord, Microsoft Graph) combined with SOCKS proxy tunneling (SoftEther VPN).
  • Data types accessed: Email, calendar, SharePoint, and other Microsoft 365 resources; potentially classified government documents.
  • Indicators: Unusual Graph API calls, Discord bot traffic from internal IP ranges, outbound connections to known SoftEther VPN endpoints.

Source: Dark Reading

📰 Original Source
https://www.darkreading.com/endpoint-security/chinas-webworm-discord-microsoft-graphs

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →