Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
Summary
Hide ▲
Show ▼
Webworm expanded its malware arsenal in 2025 with the custom backdoors EchoCreep and GraphWorm, increasing its ability to run stealthy command-and-control operations. EchoCreep uses Discord for C2, while GraphWorm uses Microsoft Graph API. The backdoors add file transfer and cmd.exe execution capabilities, making the malware more flexible and harder to spot. Discord-based C2 activity tied to this tooling has been observed since March 21, 2024.
Related Happenings
Glassworm botnet command-and-control disruption
Malware Activity
First: 27.05.2026 17:00
Last: 27.05.2026 17:00
Sources 1
About this happening:
The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Glassworm botnet command-and-control disruption
Malware ActivityAbout this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
How related:
"Webworm, first publicly documented by Broadcom-owned Symantec in September 2022, is assessed to be active since at least 2022, targeting government agencies and enterprises spanning IT services, aerospace, and electric power sectors in Russia, Georgia, Mongolia, and several other Asian nations."
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignHow related: "Webworm, first publicly documented by Broadcom-owned Symantec in September 2022, is assessed to be active since at least 2022, targeting government agencies and enterprises spanning IT services, aerospace, and electric power sectors in Russia, Georgia, Mongolia, and several other Asian nations."
About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Discord defaults voice and video calls to end-to-end encryption
Security Tool/Service
First: 19.05.2026 23:37
Last: 19.05.2026 23:37
Sources 1
About this happening:
**Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
Discord defaults voice and video calls to end-to-end encryption
Security Tool/ServiceAbout this happening: **Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2
Malware Activity
First: 23.04.2026 15:06
Last: 23.04.2026 15:06
Sources 1
About this happening:
The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...
GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2
Malware ActivityAbout this happening: The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...
Timeline
-
20.05.2026 15:51 2 articles · 7d ago
Webworm EchoCreep and GraphWorm backdoor expansion
Initial DisclosureIn **2025**, Webworm introduced **EchoCreep** and **GraphWorm**, custom backdoors that use **Discord** and **Microsoft Graph API** for C2. The change marked a shift toward more stealthy remote access and blended communications.
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51