China-nexus Webworm expands toolset with EchoCreep and GraphWorm backdoors leveraging Discord and Microsoft Graph API for C2

First reported

20.05.2026 15:51

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A China-aligned threat actor tracked as Webworm has deployed two new custom backdoors, EchoCreep and GraphWorm, using Discord and Microsoft Graph API respectively for command-and-control (C2) communications during 2025 activities. The group, active since at least 2022 and previously associated with RATs such as Trochilus, Gh0st, and 9002, has shifted toward stealthier (semi-)legitimate utilities including SOCKS proxies and custom proxy tools like WormFrp, ChainWorm, SmuxProxy, and WormSocket. Targeting spans government agencies and enterprises in Russia, Georgia, Mongolia, European countries including Belgium, Italy, Serbia, and Poland, and a university in South Africa, often blending operations using SoftEther VPN and GitHub-hosted malware staging. Initial access vectors remain unclear though brute-forcing of web server files and directories using open-source tools like dirsearch and nuclei has been observed.

Timeline

20.05.2026 15:51 1 articles · 6h ago

Webworm deploys EchoCreep and GraphWorm backdoors via Discord and Microsoft Graph API in 2025 campaigns
China-nexus threat actor Webworm has deployed two new custom backdoors, EchoCreep and GraphWorm, using Discord and Microsoft Graph API respectively for command-and-control communications during 2025 operations. EchoCreep enables file upload/download and command execution via cmd.exe, while GraphWorm supports process spawning, file transfer via OneDrive, and self-termination on operator signal. The actor’s shift away from traditional RATs such as Trochilus and 9002 aligns with increased use of stealthier proxy tools including WormFrp, ChainWorm, SmuxProxy, and WormSocket, which support encrypted multi-hop chaining and configuration retrieval from compromised Amazon S3 buckets. Webworm’s operational footprint includes targeting government agencies and enterprises across Russia, Georgia, Mongolia, and multiple European countries, with evidence of initial access via brute-force scanning of web server files and directories using dirsearch and nuclei.
Show sources

Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
Open in new tab

Information Snippets

Webworm has introduced two new custom backdoors: EchoCreep, which uses Discord for C2 communications, and GraphWorm, which leverages Microsoft Graph API for C2.
First reported: 20.05.2026 15:51

1 source, 1 article
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
EchoCreep supports file upload/download and command execution via cmd.exe, while GraphWorm can spawn new cmd.exe sessions, execute processes, upload/download files to/from Microsoft OneDrive, and self-terminate on command.
First reported: 20.05.2026 15:51

1 source, 1 article
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
Analysis of the EchoCreep Discord C2 channel shows earliest commands sent on March 21, 2024, with a total of 433 Discord messages transmitted via the server.
First reported: 20.05.2026 15:51

1 source, 1 article
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
Webworm previously used remote access trojans (RATs) such as Trochilus, Gh0st, and 9002 (Hydraq/McRat), but recent activity shows abandonment of these in favor of stealthier proxy tools and custom utilities.
First reported: 20.05.2026 15:51

1 source, 1 article
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
The group maintains a GitHub repository impersonating a WordPress fork ('github.com/anjsdgasdf/WordPress') used as a staging ground for malware and tools like SoftEther VPN to blend into traffic patterns.
First reported: 20.05.2026 15:51

1 source, 1 article
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
Webworm’s custom proxy tools (WormFrp, ChainWorm, SmuxProxy, WormSocket) support encrypted communications and multi-hop chaining across internal and external hosts; WormFrp retrieves configurations from a compromised Amazon S3 bucket.
First reported: 20.05.2026 15:51

1 source, 1 article
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
Webworm overlaps with China-nexus clusters FishMonger (Aquatic Panda), SixLittleMonkeys, and Space Pirates; SixLittleMonkeys is known for deploying Gh0st RAT and Mikroceen targeting Central Asia, Russia, Belarus, and Mongolia.
First reported: 20.05.2026 15:51

1 source, 1 article
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
Initial access is suspected to involve brute-forcing web server files and directories using open-source utilities like dirsearch and nuclei to locate vulnerabilities or misconfigurations.
First reported: 20.05.2026 15:51

1 source, 1 article
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
Separate activity reveals a BadIIS variant offered as malware-as-a-service (MaaS) by an operator known as 'lwxat,' enabling traffic redirection, reverse proxying, content hijacking, and SEO fraud on IIS servers.
First reported: 20.05.2026 15:51

1 source, 1 article
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51

Summary

Timeline

Webworm deploys EchoCreep and GraphWorm backdoors via Discord and Microsoft Graph API in 2025 campaigns

Information Snippets