Webworm has been observed deploying newly discovered backdoors that exploit legitimate cloud and messaging platforms, including Discord and Microsoft Graph API, to conduct stealth command-and-control (C2) operations across targeted networks, according to cybersecurity researchers.
The activity highlights a continued evolution in the group’s tactics, as it shifts toward blending malicious traffic with trusted enterprise and consumer services to evade detection systems.
New Backdoors EchoCreep and GraphWorm Target Enterprise Networks
Security analysts report that Webworm has added two custom tools—EchoCreep and GraphWorm—to its malware toolkit in 2025.
EchoCreep uses Discord channels as a communication channel for remote commands, allowing attackers to issue instructions and receive data while hiding within normal platform traffic. GraphWorm, meanwhile, abuses the Microsoft Graph API ecosystem to interact with Microsoft services such as OneDrive, enabling file transfers, command execution, and process control on compromised systems.
Both tools are designed to execute system-level commands, transfer files, and maintain persistence within infected environments while avoiding traditional detection methods.
Shift From Traditional RATs to Stealth Proxy-Based Tools
Webworm, first publicly documented in 2022, has historically relied on remote access trojans such as Gh0st RAT and 9002 RAT. However, recent findings show a gradual shift away from conventional malware toward lightweight proxy tools and custom communication frameworks.
Researchers note that the group has increasingly favored tools capable of routing traffic through multiple systems, improving stealth and making attribution and detection more difficult. This includes custom utilities designed to encrypt communications and obscure network pathways across internal and external infrastructure.
Use of Legitimate Platforms for Command-and-Control
A key feature of the latest campaign is Webworm’s reliance on legitimate services to mask malicious activity. Discord messaging infrastructure has been used to transmit commands for EchoCreep, while GraphWorm leverages Microsoft’s cloud-based APIs.
This approach allows attackers to blend malicious traffic with normal user behavior, reducing the likelihood of detection by traditional network monitoring tools.
Investigators also identified the use of impersonated repositories hosted on GitHub, where malicious tools and utilities were staged. These resources were used alongside legitimate VPN software such as SoftEther to further conceal operational activity.
Broader Targeting Across Asia, Europe, and Beyond
Webworm has been linked to attacks on government agencies, aerospace firms, IT service providers, and power sector organizations. Affected regions include Russia, Mongolia, Georgia, and several European countries, with expanded targeting reported in Belgium, Italy, Serbia, Poland, and Spain.
The group’s evolving targeting pattern suggests a broader intelligence-gathering objective, with increased focus on critical infrastructure and government-related entities.
Additional Tooling and Exploitation Methods
Alongside EchoCreep and GraphWorm, researchers have identified a range of supporting tools used by the group, including SOCKS proxies and custom frameworks designed for traffic chaining and persistence.
Attack chains reportedly begin with reconnaissance and exploitation of exposed web applications using publicly available tools such as vulnerability scanners and directory brute-forcing utilities. However, the exact initial access vector remains unclear.
Increasing Reliance on Hybrid Malware Ecosystems
Security experts also noted overlap between Webworm and other China-aligned clusters, suggesting shared infrastructure or collaboration between multiple groups.
The adoption of legitimate cloud services, proxy chains, and modular malware components reflects a broader trend in cyber espionage operations—where attackers prioritize stealth, adaptability, and long-term access over noisy, easily detectable malware.
Conclusion
The emergence of EchoCreep and GraphWorm underscores how advanced threat actors like Webworm are increasingly abusing trusted platforms such as Discord and Microsoft Graph API to conduct covert operations. By embedding malicious activity within legitimate services, the group significantly raises the complexity of detection and response efforts for defenders worldwide.
