Webworm uses Discord and Microsoft Graph API for new backdoors

Security researchers tracked activity by a China-aligned threat actor known as Webworm and found two backdoors deployed in 2025: EchoCreep and GraphWorm. EchoCreep uses Discord channels for command-and-control and GraphWorm uses the Microsoft Graph API.

EchoCreep can upload and download files and execute commands through cmd.exe. Researchers found commands on the Discord C2 channel dating to March 21, 2024 and observed 433 messages on that server. GraphWorm can spawn cmd.exe sessions, launch new processes, transfer files to and from Microsoft OneDrive, and stop running when instructed by operators.

The group has been active since at least 2022. It previously used remote access trojans including Trochilus RAT, Gh0st RAT and the 9002 RAT (also tracked as Hydraq or McRat). More recently the actor has shifted to proxy tools and semi-legitimate utilities.

Researchers identified custom proxy tools named WormFrp, ChainWorm, SmuxProxy, WormSocket and a utility called iox. WormFrp has been observed retrieving configuration from a compromised Amazon S3 bucket. These proxy tools can encrypt traffic and chain connections across multiple internal and external hosts. Operators often use SoftEther VPN alongside these tools.

The actor used a GitHub repository impersonating a WordPress fork as a staging area for malware and tools. Open-source scanners such as dirsearch and nuclei were used to brute-force web server files and hunt for vulnerabilities. Researchers have not yet confirmed the initial access method for recent infections.

Targets attributed to Webworm include government agencies and companies in IT services, aerospace and electric power sectors in Russia, Georgia, Mongolia and other Asian countries. In the last two years the actor has also targeted government organizations in Belgium, Italy, Serbia and Poland and at least one university in South Africa.

ESET researcher Eric Howard noted: “In recent years, it has started moving toward both existing and custom proxy tools, which are more stealthy than full-fledged backdoors. In 2025, Webworm also added two new backdoors to its toolset: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose.”

Cisco Talos reported a separate BadIIS variant that appears to be offered under a malware-as-a-service model to Chinese-speaking operators. Talos identified an author using the handle “lwxat” who provides a builder and supporting tools that let operators customize BadIIS payloads and automate deployment for traffic redirection, reverse proxying, content hijacking and backlink injection for search-engine manipulation.

ESET researchers reported some older Webworm tools, including Trochilus and the 9002 RAT, appear to have been retired as the actor adopts proxy-based approaches and integrates new backdoors. Security teams continue to monitor the actor’s tools and the use of collaboration platforms and cloud APIs for covert command-and-control.