Malicious actors are increasingly leveraging the Microsoft Graph API to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services, according to new findings from the Symantec Threat Hunter Team, part of Broadcom.

The latest incident has been observed in Ukraine, where a previously undocumented malware strain named BirdyClient utilized the Graph API to employ Microsoft OneDrive for C&C purposes.

In this particular attack, BirdyClient (aka OneDriveBirdyClient) has been disguised a legitimate DLL associated with the Apoint driver software. The malware's primary function is to connect to the Microsoft Graph API and utilize OneDrive as a mechanism for uploading and downloading files for C&C activities.

This is not the first instance of threat actors employing the Graph API for malicious purposes.

For instance, the North Korea-linked Vedalia espionage group, also known as APT37, has been observed using Bluelight, a second-stage payload capable of communicating with various cloud services for C&C.

Another state-backed cyber espionage operation dubbed the Harvester used a custom backdoor called Backdoor.Graphon that utilized the Graph API for C&C in attacks targeting organizations in South Asia.

In January 2022, the malware named “Graphite” emerged that used the Graph API to communicate with a OneDrive account acting as a C&C server. This malware was deployed in a campaign targeting several governments in Europe and Asia, attributed to the Russian Swallowtail espionage group, also known as APT28 or Fancy Bear.

The trend continued with the discovery of SiestaGraph in December 2022, infiltrating the Foreign Affairs Office of an ASEAN member, and a new variant of the malware found by Symantec in September 2023.

In June 2023, the researchers detected Backdoor.Graphican, employed by the Flea state-backed group in an espionage campaign targeting foreign affairs ministries in the Americas. An analyzis showed that Graphican, which is an evolution of the older Flea backdoor Ketrican, now incorporates the Microsoft Graph API and OneDrive for its C&C infrastructure.

“Attacker communications with C&C servers can often raise red flags in targeted organizations. The Graph API’s popularity among attackers may be driven by the belief that traffic to known entities, such as widely used cloud services, is less likely to raise suspicions,” the threat intelligence team noted. “In addition to appearing inconspicuous, it is also a cheap and secure source of infrastructure for attackers since basic accounts for services like OneDrive are free.”