Phone : +91 95 8290 7788 | Email :

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

May 03, 2024NewsroomCloud Security / Threat Intelligence

Microsoft Graph API

Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection.

This is done to “facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

Since January 2022, multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for C&C. This includes threat actors tracked as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig.


The first known instance of Microsoft Graph API prior to its wider adoption dates back to June 2021 in connection with an activity cluster dubbed Harvester that was found using a custom implant known as Graphon that utilized the API to communicate with Microsoft infrastructure.

Symantec said it recently detected the use of the same technique against an unnamed organization in Ukraine, which involved the deployment of a previously undocumented piece of malware called BirdyClient (aka OneDriveBirdyClient).

A DLL file with the name “vxdiff.dll,” which is the same as a legitimate DLL associated with an application called Apoint (“apoint.exe”), it’s designed to connect to the Microsoft Graph API and use OneDrive as a C&C server to upload and download files from it.

The exact distribution method of the DLL file, and if it entails DLL side-loading, is presently unknown. There is also no clarity on who the threat actors are or what their ultimate goals are.

“Attacker communications with C&C servers can often raise red flags in targeted organizations,” Symantec said. “The Graph API’s popularity among attackers may be driven by the belief that traffic to known entities, such as widely used cloud services, is less likely to raise suspicions.

“In addition to appearing inconspicuous, it is also a cheap and secure source of infrastructure for attackers since basic accounts for services like OneDrive are free.”


The development comes as Permiso revealed how cloud administration commands could be exploited by adversaries with privileged access to execute commands on virtual machines.

“Most times, attackers leverage trusted relationships to execute commands in connected compute instances (VMs) or hybrid environments by compromising third-party external vendors or contractors who have privileged access to manage internal cloud-based environments,” the cloud security firm said.

“By compromising these external entities, attackers can gain elevated access that allows them to execute commands within compute instances (VMs) or hybrid environments.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India













What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.


Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.


Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : | Support Email :

Register & Request Quote | Submit Support Ticket