A grim new chapter in the Webworm playbook just opened. This China-aligned threat actor, a persistent thorn in the side of government agencies and enterprises across Russia, Georgia, Mongolia, and other Asian nations, has rolled out two sophisticated backdoors: EchoCreep and GraphWorm. What’s particularly galling—and frankly, impressive in a terrifying way—is their choice of command-and-control (C2) infrastructure. We’re talking about leveraging Discord and Microsoft’s Graph API. It’s a move that screams adaptability and a deep understanding of how to blend into the digital noise.
Webworm isn’t exactly new to the scene. Symantec first flagged their activities back in September 2022, but researchers now peg their active history to at least that year. Their targets have traditionally been high-value, spanning the IT services, aerospace, and electric power sectors. Historically, they’ve favored tried-and-true remote access trojans (RATs) like Trochilus RAT, Gh0st RAT, and the 9002 RAT. They’ve also shown significant overlap with other China-nexus clusters, including FishMonger, SixLittleMonkeys, and Space Pirates, suggesting a coordinated, albeit loosely connected, effort within the broader Chinese threat landscape.
But here’s the critical shift: the move towards custom proxy tools and these new, stealthier backdoors represents a significant evolution. ESET researcher Eric Howard nails it: “In recent years, it has started moving toward both existing and custom proxy tools, which are more stealthy than full-fledged backdoors.” And 2025? That’s when they added EchoCreep (Discord) and GraphWorm (MS Graph API) to their arsenal, effectively abandoning some of their older RATs. This isn’t just adding more weapons; it’s changing the battlefield.
Is This Just More of the Same, Or a Real Threat?
Look, the use of legitimate services for C2 isn’t entirely novel. Threat actors have been abusing cloud services and communication platforms for years. What makes this development from Webworm noteworthy is the specific choice and the sophistication implied. Discord, with its chat-like interface, can easily blend into legitimate organizational communications. Microsoft Graph API, on the other hand, is the gateway to vast amounts of organizational data and services within the Microsoft ecosystem. Weaponizing it for C2 turns a trusted tool into a vulnerability.
Their operational security—or perhaps, operational cleverness—is further evidenced by their staging grounds. A GitHub repository impersonating a WordPress fork serves as a malware repository, often alongside tools like SoftEther VPN. This reliance on SoftEther VPN isn’t unique to Webworm; it’s a favorite for many Chinese hacking groups looking to mask their traffic and create layered proxies.
“These custom proxy tools are not only capable of encrypting communications, but also support chaining across multiple hosts both internally and externally to a network,” ESET said. “We believe that the operators use these tools in conjunction with SoftEther VPN to better cover their tracks and increase the stealth of their activities.”
EchoCreep, for instance, handles file transfers and command execution. GraphWorm is the more potent sibling, capable of spawning new command shells, executing processes, and crucially, uploading/downloading files directly to Microsoft OneDrive. It can even self-terminate upon receiving a signal. This level of integration and control is what makes these backdoors so insidious.
An analysis of Discord activity shows commands dating back to March 2024, with over 433 messages sent via the C2 server. This isn’t a test run; it’s ongoing operations. The exact initial access vector remains murky, though researchers have observed Webworm employing tools like dirsearch and nuclei to probe for vulnerabilities and misconfigurations on victim web servers. It’s a broad-brush approach, but effective when you’re casting a wide net.
The Broader Ecosystem of Chinese Cyber Operations
This all unfolds against a backdrop of increasing modularity and apparent malware-as-a-service (MaaS) offerings within the Chinese threat actor ecosystem. Cisco Talos recently highlighted a BadIIS variant, likely shared or sold among groups, which automates deployment and persistence on IIS servers. The same author, operating under the alias “lwxat,
