Skip to main content
Emerging ThreatsMalware & Ransomware

Webworm Expands Arsenal with EchoCreep, GraphWorm Backdoors

Laptop screen showing communication platform on a neutral surface with blurred chat interface and cityscape background.

433 Discord messages were sent through the command-and-control server, with the earliest commands traced to March 21, 2024 — a concrete signal that a China-aligned actor known as Webworm has been experimenting with unconventional C2 channels and bespoke proxy tooling into 2025.

Webworm's new backdoors: EchoCreep and GraphWorm

Security researchers report that Webworm added two custom backdoors to its arsenal in 2025: EchoCreep and GraphWorm. ESET researcher Eric Howard said the group "added two new backdoors to its toolset: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose." According to the analysis, EchoCreep supports file upload/download and command execution via "cmd.exe" capabilities.

GraphWorm is described as the more capable implant: it can spawn a new "cmd.exe" session, execute newly created processes, upload and download files to and from Microsoft OneDrive, and stop its own execution after receiving an operator signal. The use of Microsoft Graph API, combined with OneDrive file operations, makes GraphWorm a clear example of using legitimate cloud application APIs for covert control and data movement.

Command-and-control tradecraft: Discord, Microsoft Graph API, and GitHub staging

The choice of C2 channels is notable for blending into benign traffic. EchoCreep uses Discord channels as its control plane; analysts counted 433 messages exchanged via the C2 server. GraphWorm's use of Microsoft Graph API and OneDrive likewise repurposes enterprise cloud services for remote control and exfiltration.

Webworm also leverages publicly accessible repositories and utilities as staging and proxy mechanisms. Researchers identified a GitHub repository impersonating a WordPress fork ("github[.]com/anjsdgasdf/WordPress") used to host malware and tools. The threat actor relies on utilities such as SoftEther VPN to mask traffic, a technique the report says is a "tried-and-tested approach." WormFrp — one of several custom proxy tools tied to the operator — has been observed retrieving configurations from a compromised Amazon S3 bucket.

Webworm operators additionally use open-source reconnaissance tools like dirsearch and nuclei to brute-force web server files and directories and to scan for vulnerabilities; how the newly observed backdoors are initially delivered remains unknown.

Proxy toolset and operational changes

Over the last two years, the actor has shifted from classical remote access trojans (RATs) toward (semi-)legitimate proxy utilities that prioritize stealth. The group previously used RATs including Trochilus RAT, Gh0st RAT, and 9002 RAT (aka Hydraq and McRat), but those tools "appear to have been abandoned" as Webworm focuses on custom proxy solutions such as WormFrp, ChainWorm, SmuxProxy, WormSocket and other tools including iox.

ESET noted that these proxies are capable of encrypting communications and supporting chaining across multiple hosts, "both internally and externally to a network," which the analysts say is used together with SoftEther VPN "to better cover their tracks and increase the stealth of their activities."

Targets and geographic focus: governments, critical sectors, and universities

Public reporting links Webworm activity since at least 2022 to government agencies and enterprises across IT services, aerospace, and electric power sectors in Russia, Georgia, Mongolia and several other Asian nations. In the past two years the actor has shifted toward European targets, including governmental organizations in Belgium, Italy, Serbia, Poland, and Spain, and it has also been observed targeting a local university in South Africa.

Analysts assess that Webworm overlaps with other China-nexus clusters tracked as FishMonger (aka Aquatic Panda), SixLittleMonkeys, and Space Pirates. SixLittleMonkeys is noted for deploying Gh0st RAT and a RAT called Mikroceen against entities in Central Asia, Russia, Belarus, and Mongolia.

Related service-based threats: BadIIS and the "lwxat" toolset

Concurrent reporting from Cisco Talos draws a parallel threat in the form of a BadIIS variant appearing to be offered under a malware-as-a-service model to multiple Chinese-speaking groups. Talos says the offering has been under development since at least September 30, 2021, and that the malware author using the alias "lwxat" supplies supplementary tools — service-based installers, droppers, and persistence mechanisms — that automate deployment and ensure survivability across IIS restarts.

Joey Chen, a Talos researcher, described the service's builder capability: it "allows threat actors to generate configuration files, customize payloads, and inject parameters into BadIIS binaries - enabling capabilities including traffic redirection to illicit sites, reverse proxying for search engine crawler manipulation, content hijacking, and backlink injection for malicious search engine optimization (SEO) fraud."

What this means for security teams, cloud providers, and researchers

  • Security teams at targeted government agencies and enterprises should watch for covert C2 using Discord and Microsoft Graph API activity and suspicious OneDrive file operations tied to process creation and cmd.exe sessions.
  • Cloud and platform operators — including GitHub and S3 custodians — need to monitor for impersonating repositories and unauthorized bucket access linked to configuration retrieval by proxy tools like WormFrp.
  • Researchers and incident responders will find value in tracking the transition away from noisy RATs toward chained proxy tooling and in cataloging indicators from EchoCreep's Discord channel and GraphWorm's Graph API usage to detect reuse or variants.

Webworm's pivot toward API-based C2 and chained proxy tooling shows a deliberate attempt to blend into normal service traffic and raise the bar for detection. The analysts' timeline — 433 Discord commands dating back to March 21, 2024 — and the concurrent emergence of MaaS offerings like BadIIS underline a dual trend: bespoke operators refining stealth, and commoditized malware lowering entry costs. A central unanswered detail remains how these new implants are initially delivered; without that link, defenders must extend telemetry to cloud APIs, developer platforms, VPN traffic and chained proxy behaviors to close the gap.

Source: The Hacker News — Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API