Webworm Accelerates Cyber Threats with EchoCreep and GraphWorm Backdoors Utilizing Discord and Microsoft Graph API
Cybersecurity experts have identified renewed activity from the China-aligned threat actor known as Webworm in 2025. This group has begun deploying custom backdoors that utilize Discord and Microsoft Graph API for command-and-control (C2) communications, marking a significant evolution in their operational tactics.
Background on Webworm
Webworm was first documented by Symantec, a subsidiary of Broadcom, in September 2022. The group has been active since at least 2022, targeting a range of government agencies and enterprises across various sectors, including IT services, aerospace, and electric power. Their operations have primarily focused on regions such as Russia, Georgia, Mongolia, and several other Asian countries.
The group’s attacks have employed various remote access trojans (RATs), including Trochilus RAT, Gh0st RAT, and the 9002 RAT (also known as Hydraq and McRat). Webworm’s activities have shown overlap with other China-linked clusters, including FishMonger (also referred to as Aquatic Panda), SixLittleMonkeys, and Space Pirates. SixLittleMonkeys is particularly noted for its use of Gh0st RAT and Mikroceen, targeting entities in Central Asia, Russia, Belarus, and Mongolia.
Evolution of Tactics
In recent years, Webworm has shifted towards utilizing both existing and custom proxy tools that offer greater stealth compared to traditional backdoors. According to ESET researcher Eric Howard, the group has introduced two new backdoors to its arsenal in 2025: EchoCreep, which employs Discord for C2 communications, and GraphWorm, which utilizes Microsoft Graph API for similar purposes.
These developments underscore a broader trend in cyber threats, where adversaries increasingly rely on legitimate platforms to obscure their activities. Webworm has been observed using a GitHub repository that impersonates a WordPress fork as a staging ground for malware and tools like SoftEther VPN, allowing them to blend in and evade detection. This tactic is consistent with methods employed by several other Chinese hacking groups.
Targeting and Tools
Over the past two years, Webworm has increasingly focused its efforts on European nations, targeting governmental organizations in Belgium, Italy, Serbia, and Poland, as well as a local university in South Africa. The introduction of EchoCreep and GraphWorm signifies an expansion of Webworm’s capabilities, even as older tools like Trochilus and 9002 RAT appear to have been phased out.
Other notable tools in Webworm’s toolkit include iox and custom proxy solutions such as WormFrp, ChainWorm, SmuxProxy, and WormSocket. WormFrp has been identified as capable of retrieving configurations from a compromised Amazon S3 bucket, further enhancing the group’s operational flexibility.
ESET highlights that these custom proxy tools not only encrypt communications but also support chaining across multiple hosts, both internally and externally to a network. This capability allows operators to better conceal their tracks and enhance the stealth of their activities.
Technical Capabilities of New Backdoors
EchoCreep is designed to facilitate file upload/download and command execution via “cmd.exe” capabilities. In contrast, GraphWorm is a more sophisticated backdoor that can spawn new “cmd.exe” sessions, execute newly created processes, and upload or download files to and from Microsoft OneDrive. It can also terminate its own execution upon receiving a signal from its operators.
An analysis of the Discord channel used by EchoCreep for C2 communications reveals that the earliest commands were sent as far back as March 21, 2024, with a total of 433 messages exchanged via the C2 server.
Initial Access and Delivery Mechanisms
The precise methods by which these backdoors are delivered remain unclear. However, it has been reported that Webworm utilizes open-source utilities like dirsearch and nuclei to brute-force victim web server files and directories, searching for vulnerabilities to exploit.
The emergence of these advanced tactics coincides with broader trends in the cybersecurity landscape, where threat actors are increasingly leveraging legitimate tools and platforms to enhance their operational effectiveness.
Broader Implications
The recent findings also align with ongoing research from Cisco Talos, which has shed light on a variant of BadIIS likely shared among multiple Chinese-speaking cybercrime groups under a malware-as-a-service (MaaS) model. This model is designed for continuous monetization and has reportedly been under development since at least September 30, 2021.
The same malware author, operating under the alias “lwxat,” has made available supplementary tools that automate deployment, ensure persistence across IIS server restarts, and evade detection. The service includes a dedicated builder tool that allows threat actors to generate configuration files, customize payloads, and inject parameters into BadIIS binaries, enabling capabilities such as traffic redirection to illicit sites and content hijacking.
The evolving tactics of Webworm and similar threat actors underscore the need for organizations to remain vigilant and proactive in their cybersecurity measures. As these groups continue to innovate and adapt, the potential for significant disruptions and data breaches increases.
For further insights and updates on cybersecurity developments, threat intelligence, and breaking news from across the Middle East.
Source: thehackernews.com
