Four hundred and fifty. That’s the number of Discord messages ESET researchers had to slog through to crack open the latest moves of the Webworm APT. A quarter-century in this game, and you learn that the most dangerous threats aren’t always the loudest ones; they’re the ones hiding in plain sight, disguised as everyday internet traffic. And Webworm, a group with ties to China, is getting awfully good at it.
We’re talking about a shift from the clunky, easily detectable backdoors of yesteryear — think McRat and Trochilus — to tools that whisper instead of shout. In 2025, Webworm decided its command-and-control (C&C) infrastructure needed a serious glow-up. Enter EchoCreep, a backdoor that piggybacks on Discord, and GraphWorm, which pulls the same trick using Microsoft’s Graph API. Why? Because who’s going to flag a bunch of seemingly innocuous Discord messages or API calls as malicious? It’s clever, it’s annoying, and frankly, it works.
This isn’t some fly-by-night operation. Webworm’s been on the radar since at least 2022, originally focused on Asia. But like a lot of bad actors, they’ve noticed greener pastures (or perhaps just less guarded ones) in Europe. Governmental organizations in Belgium, Italy, Serbia, and Poland have been hit. They even dipped their toes into South Africa, compromising a university. They’re not just changing targets; they’re systematically overhauling their toolkit.
Who’s Actually Making Money Here?
That’s always the million-dollar question, isn’t it? While ESET is doing the thankless work of exposing these operations — and good on them for it — the ultimate beneficiaries are the shadowy entities bankrolling Webworm. Are they after state secrets? Industrial espionage? Disrupting critical infrastructure? The sheer stealth of their new methods suggests a high-value target, where noisy, easily-caught malware is simply too risky. It’s about patient, persistent access, not a smash-and-grab. The cloud infrastructure they’re leveraging — Vultr and IT7 Networks, to be precise — hints at a sophisticated, distributed setup designed for longevity and evasion. They’re not just buying servers; they’re building a ghost network.
Is Discord Really the New Cybercrime Hub?
It certainly seems that way, at least for certain types of actors. Decrypting over 400 Discord messages reveals a disturbing level of detail about Webworm’s operations. They’re using it to exfiltrate data, get reports, and, most importantly, receive commands. It’s a classic C&C channel, just wrapped in a service millions use daily. This isn’t the first time we’ve seen malware use consumer platforms; remember how some ransomware gangs used Telegram? It’s a growing trend: weaponizing the familiar. Microsoft Graph API is another interesting choice. It’s a massive, legitimate service, perfect for blending in. The sheer volume of legitimate traffic flowing through these services makes spotting the needles in the haystack a nightmare for defenders.
We have seen that this threat actor continually changes its tactics, techniques, and procedures (TTPs).
That quote from ESET’s report isn’t just boilerplate. It’s the core of Webworm’s strategy. They’re not relying on a single exploit or a single piece of malware. They’re a chameleon. In addition to the new backdoors, they’re still using proxies – both off-the-shelf solutions like SoftEther VPN and frp, and their own custom creations: WormFrp, ChainWorm, SmuxProxy, and WormSocket. These aren’t just simple tunnels; they’re designed to encrypt traffic and chain across multiple hosts, making it incredibly difficult to trace the origin or destination. It’s about layering obfuscation upon obfuscation.
The group’s reliance on GitHub to stage its malware is another well-worn but effective technique. A public repository, perhaps with innocuously named files, can serve as a direct download portal for victims. It’s efficient, it’s common practice for legitimate developers, and it’s a perfect way to deliver their next payload without raising too many red flags until it’s too late.
This shift towards legitimate services for C&C and tool staging isn’t just an evolution; it’s a fundamental change in how nation-state adversaries are operating. They’re moving beyond bespoke, noisy malware and embracing the complexity and anonymity of legitimate cloud services. For security teams, this means a constant uphill battle, requiring deeper analysis of network traffic and a keen eye for anomalies that might otherwise be dismissed as routine. It’s a brave new world out there, and Webworm is just one of many showing us the way.
