When a State-Linked Crew Turns Discord Into a Back Door

In modern espionage, the most dangerous traffic is often the traffic nobody wants to block. Webworm’s reported use of Discord, Microsoft Graph, and SOCKS-style proxying against EU government targets is a reminder that attackers increasingly borrow the same services enterprises trust for daily work.

Fast Facts

• Webworm is described as an advanced persistent threat group.
• The activity was tied to attacks against EU government entities.
• Discord and Microsoft Graph were reported as part of the command-and-control path.
• SOCKS proxies and SoftEther VPN appeared in the tooling mix.
• The full scope of compromise and any data loss remains unconfirmed.

How trusted services can become attacker infrastructure

The technical significance here is not just that a threat actor used popular platforms, but that the platforms themselves can provide cover. Discord is ordinary internet infrastructure from a network perspective, and Microsoft Graph is a legitimate Microsoft cloud API that many organizations already allow. That makes abuse harder to distinguish from normal business traffic unless defenders correlate identity, endpoint, and cloud telemetry.

In this kind of operation, the value of the cloud layer is stealth. A request to a sanctioned service may not look like classic malware beaconing, yet it can still carry tasking, file movement, or operator updates. The risk rises when the attacker can blend into a tenant’s expected usage patterns, especially in environments where alerting is tuned more for suspicious domains than for unusual API behavior.

Proxy and tunneling tools add another layer of friction for defenders. SOCKS is a standard relay method, so it can obscure where traffic truly originates. SoftEther VPN, meanwhile, is a flexible tunneling tool that can sit inside a broader relay setup. The public information supports its presence in attacker material, but not every operational detail of how it was used. That distinction matters: the defensive lesson is about indirect traffic paths, not certainty about one specific chain.

At the time of writing, public information has not fully established the technical root cause, the complete scope of affected users, or whether downstream systems were compromised. That uncertainty is itself important. In cloud-abuse campaigns, success is not always measured by noisy ransomware-style impact; sometimes the real goal is quiet persistence, surveillance, or access that remains buried inside normal service calls.

Why defenders should care

The case highlights a broader shift in intrusion tradecraft: attackers increasingly use legitimate services as transport, not just payload delivery. That means perimeter controls alone are rarely enough. Security teams need alerts for unusual Microsoft tenant activity, unexpected Discord-related traffic on servers and administrative systems, and signs that proxy or tunneling software is being used where it has no business purpose.

From a defensive perspective, the most useful response is correlation. A single cloud request may be harmless; a sequence of atypical logins, API calls, file transfers, and proxy setup activity is much harder to dismiss. In other words, the crime scene is no longer just on the endpoint. It is spread across identity systems, SaaS logs, and the quiet spaces between them.

The broader lesson is simple: when legitimate platforms are part of the attack path, defenders must treat normality as something to verify, not assume.

WIKICROOK

• Advanced Persistent Threat (APT): A long-term, often well-resourced intrusion campaign designed to stay hidden and maintain access.
• Command-and-Control (C2): The channel attackers use to issue instructions to compromised systems.
• Microsoft Graph: Microsoft’s API gateway for accessing cloud, identity, and productivity data.
• SOCKS proxy: A relay protocol that forwards traffic through an intermediary server.
• Tunneling: Wrapping one kind of network traffic inside another path to obscure origin or bypass controls.