Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and Microsoft Graph API for Command-and-Control

TL;DR — Webworm, a China-aligned threat actor active since at least 2022, has deployed two new custom backdoors in 2025: EchoCreep, which routes commands through Discord, and GraphWorm, which uses Microsoft Graph API and Microsoft OneDrive for file staging. The group continues to shift toward legitimate services and proxy tools to evade detection while expanding operations into European targets.

What happened

Researchers at ESET have documented fresh activity from Webworm deploying two previously unknown backdoors alongside a shift toward legitimate cloud services and open-source utilities for reconnaissance and lateral movement.

Webworm was first publicly documented by Symantec in September 2022 and is assessed to have been active since at least 2022. The group targets government agencies and enterprises in the IT services, aerospace, and electric power sectors across Russia, Georgia, Mongolia, and several other Asian nations. Historically, the group deployed remote access trojans including Trochilus RAT, Gh0st RAT, and 9002 RAT (also known as Hydraq and McRat).

In 2025, Webworm added EchoCreep and GraphWorm to its toolkit. EchoCreep uses Discord for command-and-control communications and supports file upload/download and command execution via cmd.exe. Analysis of the Discord channel used by EchoCreep shows that the earliest commands were sent on March 21, 2024; a total of 433 Discord messages have been sent via the C2 server. GraphWorm is a more advanced backdoor that can spawn cmd.exe sessions, execute processes, and upload or download files to and from Microsoft OneDrive; it can also stop its own execution after receiving an operator signal.

The group hosts malware and tools on a GitHub repository impersonating a WordPress fork at github[.]com/anjsdgasdf/WordPress, using it as a staging ground for payloads including SoftEther VPN. Webworm has also deployed custom proxy tools named WormFrp, ChainWorm, SmuxProxy, and WormSocket. WormFrp retrieves configurations from a compromised Amazon S3 bucket. These proxy tools encrypt communications and support chaining across multiple internal and external network hosts.

Over the past two years, Webworm has shifted focus away from traditional backdoors toward legitimate utilities such as SOCKS proxies. The group is increasingly targeting European countries, including government organizations in Belgium, Italy, Serbia, Poland, and Spain, as well as a university in South Africa.

For initial compromise and reconnaissance, Webworm uses open-source utilities dirsearch and nuclei to brute-force web server files and directories and to search for vulnerabilities.

The initial access pathway and delivery mechanism for EchoCreep and GraphWorm remain unknown.

Why it matters

The use of Discord and Microsoft Graph API for command-and-control represents a maturation in Webworm's operational security posture. Both services are widely used, generate legitimate traffic, and are often whitelisted in network policies, making detection significantly more difficult than traditional C2 infrastructure. The reliance on OneDrive for file staging allows the group to leverage Microsoft's infrastructure for persistence and exfiltration.

The shift toward legitimate services and open-source utilities reflects a broader trend in Chinese state-aligned intrusion operations: reducing reliance on custom malware that is more easily attributed and blocked, instead leveraging tools and services that defenders cannot easily distinguish from legitimate administrative activity.

For defenders in government and critical infrastructure sectors—particularly in Europe, Russia, and Central Asia—the expansion of Webworm's geographic targeting and operational tempo presents an increased risk. The group's use of common development platforms (GitHub) and legitimate VPN services to stage payloads means that traditional network-based detection rules may be ineffective.

Affected systems and CVEs

No CVE assigned at the time of publication.

Products and services leveraged by Webworm:

Discord (C2 channel)
Microsoft Graph API (C2 communications)
Microsoft OneDrive (file staging and exfiltration)
GitHub (malware and tool staging)
Amazon S3 (proxy tool configuration delivery)
SoftEther VPN
IIS servers (reconnaissance target)
Open-source utilities: dirsearch, nuclei

What to do

Monitor network traffic for suspicious Discord API communications, particularly WebSocket connections and message delivery patterns consistent with command-and-control.
Implement detection for Microsoft Graph API and OneDrive file transfer patterns that deviate from normal user behavior, especially large or encrypted file uploads from system accounts or service principals.
Review GitHub repository access logs for unusual requests to repositories impersonating legitimate projects, and restrict repository clone activity from system or administrative accounts.
Monitor for execution of dirsearch and nuclei on endpoints; these tools are rarely present in standard deployments and their presence indicates active reconnaissance.
Scan endpoints and network shares for custom proxy tools: WormFrp, ChainWorm, SmuxProxy, and WormSocket.
Audit Amazon S3 bucket configurations for public read access and review bucket access logs for unauthorized retrievals.
Implement file integrity monitoring on web server directories and alert on unexpected modifications.
Monitor for cmd.exe spawning from service accounts or unusual parent processes, particularly in conjunction with file operations targeting OneDrive.

Open questions

What is the initial access vector for EchoCreep and GraphWorm deployments?
What is the full scope of affected organizations and victims?
Is WormFrp actively retrieving configurations from the compromised S3 bucket, or was the compromise historical?
What is the exact nature of overlap between Webworm, FishMonger (Aquatic Panda), SixLittleMonkeys, and Space Pirates? ESET researchers have stated that connections to Space Pirates are tenuous and based primarily on shared use of open-source RATs.