Webworm Using EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

Cybersecurity researchers have flagged new activity from a China-linked threat actor known as Webworm in 2025, custom backends that use Discord and the Microsoft Graph API for command-and-control (C2 or C&C) communication are shipped.

Webworm, which was first published publicly by Broadcom and Symantec in September 2022, is being tested to be active from at least 2022, targeting government agencies and businesses including IT services, aerospace, and energy in Russia, Georgia, Mongolia, and several other Asian nations.

The attacks mounted by the group used remote access trojans (RATs) such as the Trochilus RAT, the Gh0st RAT, and the 9002 RAT (aka Hydraq and McRat). The fearsome actor is said to be joining China-nexus groups such as FishMonger (also known as Aquatic Panda), SixLittleMonkeys, and Space Pirates. SixLittleMonkeys is best known for using the Gh0st RAT and a RAT called Mikroceen that targets businesses in Central Asia, Russia, Belarus, and Mongolia.

“In recent years, it’s started to move toward both existing and custom proxy tools, which are more subtle than full-blown gateways,” said ESET researcher Eric Howard. “In 2025, Webworm also added two backdoors to its toolset: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses the Microsoft Graph API for the same purpose.”

The basis of these efforts is the use of the GitHub repository which is a fork of WordPress (“github[.]com/anjsdgasdf/WordPress”) as a platform for malware and tools like SoftEther VPN in an attempt to integrate and fly under the radar. Relying on SoftEther VPN is a tried and tested method adopted by several Chinese hacker groups.

In the last two years, the enemy has appeared to move from traditional backdoors to (semi-)official resources such as SOCKS proxies, while focusing more on European countries, including government agencies in Belgium, Italy, Serbia, Poland, and Spain, and a local university in South Africa.

The discovery of EchoCreep and GraphWorm marks the expansion of Webworm’s arsenal, as Trochilus and the 9002 RAT appear to have been abandoned by the threat actor. Other tools include iox and custom proxy solutions such as WormFrp, ChainWorm, SmuxProxy, and WormSocket. WormFrp was discovered to retrieve settings from a vulnerable Amazon S3 bucket.

“These custom proxy tools can not only encrypt communications, but also support connecting multiple hosts inside and outside the network,” ESET said. “We believe that operators use these tools in conjunction with SoftEther VPN to better cover their tracks and increase the sophistication of their operations.”

EchoCreep supports file upload/download and command execution with “cmd.exe” capabilities, while GraphWorm is a more advanced backdoor that can spawn a new “cmd.exe” session, use a newly created process, upload and download files to or from Microsoft OneDrive, and set its own to start after receiving a signal from operators.

An analysis of the Discord channel found by EchoCreep as C2 shows that the previous commands were sent from March 21, 2024. In total, 433 Discord messages were sent through the C2 server.

How these backdoors are delivered, and the initial access method used by the Webworm, is currently unknown. However, it turns out that the attacker is using open source tools like dirsearch and nuclei to force the victim’s web server files and directories, and search for vulnerabilities within.

The disclosure comes as Cisco Talos sheds light on a variant of BadIIS that may have been sold or shared among several Chinese-speaking cybercriminal groups under a malware-as-a-service (MaaS) model designed to generate revenue. This offer is believed to have been in development since at least September 30, 2021.

The same malware author, who works under the alias “lwxat,” has also made available a set of additional tools, including service-based installers, downloaders, and persistent methods that automate deployment, ensure survival across IIS server restarts, and side-by-side detection.

The service offers a dedicated builder tool that “allows threat actors to generate configuration files, customize responsibilities, and put restrictions on BadIIS binaries – enabling capabilities that include redirecting traffic to illegal sites, reverse proxy spoofing for search engine optimization, content hijacking, and backlink injection for malicious search engine optimization,” said Joe Che O.