China-linked cyber espionage group “Webworm” has recently been linked to a major hacking campaign targeting European government organizations and other important sectors. Security researchers discovered that the attackers were using trusted online services like Discord and Microsoft Graph to secretly communicate with infected systems. This method allowed the hackers to hide their activity inside normal internet traffic and avoid raising suspicion. Experts believe this campaign shows how modern cyberattacks are becoming more advanced and difficult to detect.

The investigation was carried out by cybersecurity researchers at ESET, who uncovered two newly identified malware tools named EchoCreep and GraphWorm. According to the researchers, these malware strains were specially designed to abuse legitimate cloud-based services instead of using suspicious servers. Because organizations already trust these platforms, the malicious traffic looked similar to regular online activity. This helped the attackers remain hidden inside networks for a longer period of time.

One of the malware strains, called EchoCreep, reportedly used Discord channels as a command-and-control system for the attackers. Through this malware, hackers were able to send commands, transfer files, and remotely control infected computers. Researchers found hundreds of Discord messages connected to the campaign, showing that the operation had been active for several months. Since Discord is a widely used communication platform, the activity did not immediately appear suspicious to security systems.

The second malware tool, GraphWorm, was considered even more advanced because it abused Microsoft Graph API and OneDrive services. The malware was capable of running hidden command sessions, transferring stolen files, and launching malicious processes on infected systems. Security researchers explained that Microsoft Graph traffic is commonly trusted by enterprise networks, which made the attack even harder to identify. The malware could also remove traces of its activity after operations were completed.

Researchers stated that the campaign mainly targeted government organizations across several European countries, including Belgium, Italy, Poland, Serbia, and Spain. Apart from government networks, the attackers also focused on aerospace companies, IT service providers, and power-related sectors. A university in South Africa was reportedly affected during the operation as well. Experts believe the campaign was part of a larger cyber espionage effort focused on collecting sensitive information.

The investigation also revealed that the attackers used a fake GitHub repository disguised as a WordPress-related project to support their operations. This repository reportedly hosted malware files and infrastructure tools required for the campaign. In addition, the hackers relied on VPN services, encrypted communication tunnels, custom proxy tools, and chained routing techniques to hide their movements. These methods made forensic investigations and tracking much more difficult for cybersecurity teams.

Cybersecurity experts say this incident highlights a growing trend where advanced threat groups abuse trusted platforms and legitimate online services for malicious purposes. Instead of relying on clearly suspicious infrastructure, attackers are now blending into normal cloud traffic to avoid detection. This shift is creating serious challenges for organizations because traditional security systems may fail to identify such hidden activity. Experts warn that similar techniques could become more common in future cyber espionage operations.

Researchers also noted that Webworm appears to be changing its attack strategy by moving away from older malware families and focusing more on stealth-based cloud operations. The campaign demonstrates how cybercriminals are constantly adapting their methods to bypass modern security defenses. Experts believe organizations must improve monitoring of cloud platforms and trusted services to identify unusual behavior more effectively. The discovery serves as another reminder that even commonly trusted online platforms can be abused for large-scale cyberattacks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news