Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

Severity
Medium

Detail

Cybersecurity researchers have identified new activity from a China-aligned threat actor known as Webworm, which has expanded its toolkit with two custom backdoors called EchoCreep and GraphWorm. These tools are designed to use legitimate cloud and collaboration platforms, Discord and Microsoft Graph API for command-and-control (C2) communication, helping the attackers blend into normal network traffic.

Webworm has been active since at least 2022 and is known for targeting government and enterprise organizations across Russia, Georgia, Mongolia, and other parts of Asia, with expanding activity also observed in Europe. The group overlaps with several China-linked clusters, including FishMonger and SixLittleMonkeys, and has previously used well-known remote access trojans such as Gh0st RAT, 9002 RAT, and Trochilus RAT.

In recent operations, Webworm has shifted away from traditional malware toward more stealthy proxy tools and custom backdoors. It also makes use of legitimate software like SoftEther VPN and a network of proxy utilities to conceal traffic and maintain persistence inside compromised environments.

The group has been observed using a GitHub repository impersonating a WordPress project as a staging point for malware delivery. Attackers also rely on open-source tools like dirsearch and nuclei to scan for exposed web services and vulnerabilities, which are then used to gain initial access to target systems.

EchoCreep and GraphWorm represent the latest evolution in Webworm’s capabilities. EchoCreep uses Discord channels for C2 communication and supports file upload/download and remote command execution through Windows cmd.exe. GraphWorm is more advanced, using Microsoft Graph API and OneDrive for data transfer, and can spawn new command sessions, execute processes, and terminate itself when instructed by operators.

Analysis of Discord activity linked to EchoCreep shows that the command infrastructure has been active since at least March 2024, with more than 400 messages exchanged between infected systems and attacker-controlled channels. This indicates long-term, stable use of Discord as a stealth communication channel.

How?

The attack begins with Webworm gaining initial access to target environments, although the exact infection method is not fully known. Researchers believe the group likely uses vulnerability scanning tools such as dirsearch and nuclei to identify exposed web applications, misconfigurations, or unpatched services that can be exploited for entry.

Once inside the network, the attackers deploy custom proxy tools and establish encrypted communication channels using SoftEther VPN and other tunneling utilities. These tools allow them to move data across compromised systems while avoiding detection.

EchoCreep then connects to Discord servers controlled by the attackers, where it receives commands such as executing system commands via cmd.exe, uploading files, or downloading additional payloads. GraphWorm performs similar functions but integrates with Microsoft Graph API, enabling it to abuse trusted cloud services like OneDrive for file storage and exfiltration while maintaining persistence.

Both backdoors are designed to operate quietly within enterprise environments by using trusted platforms as intermediaries, making malicious traffic appear like normal business communication.

Conclusion

Webworm’s latest activity demonstrates a continued shift toward abusing legitimate cloud services and enterprise APIs for stealthy command-and-control operations. By leveraging platforms like Discord and Microsoft Graph API, the group significantly reduces the chances of detection while maintaining reliable access to compromised systems.

The introduction of EchoCreep and GraphWorm highlights an ongoing evolution in state-aligned cyber operations, where attackers increasingly favor custom, lightweight backdoors and legitimate infrastructure over traditional malware. Combined with VPN tools, proxy chains, and vulnerability scanning utilities, Webworm’s approach reflects a highly adaptable and stealth-focused intrusion model that is difficult for defenders to detect and disrupt.

Source

https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html