Cybersecurity researchers have reported fresh activity from Webworm, a China-aligned threat actor known for targeting government agencies, IT service providers, aerospace organizations, and electric power sectors across Asia and Europe.
In its latest campaign, Webworm has added two new custom backdoors to its toolkit: EchoCreep and GraphWorm. What makes these tools notable is their use of trusted platforms for command-and-control communication. EchoCreep uses Discord, while GraphWorm relies on Microsoft Graph API, making malicious traffic harder to detect because it can blend in with normal cloud and collaboration service activity.
Webworm has been active since at least 2022 and has previously used remote access tools such as Trochilus RAT, Gh0st RAT, and 9002 RAT. Over time, the group appears to have shifted away from traditional malware toward stealthier proxy tools, VPN utilities, and custom backdoors designed to maintain access while avoiding detection.
Researchers also found that the attackers used a GitHub repository pretending to be a WordPress fork as a staging area for malware and tools. This approach helps the threat actor hide malicious activity behind platforms and services that many organizations already trust.
EchoCreep can upload and download files and execute commands through cmd.exe. GraphWorm appears more advanced, with the ability to launch command sessions, create new processes, transfer files through Microsoft OneDrive, and stop itself when instructed by operators.
The campaign also shows Webworm’s continued interest in proxy-based operations. Tools such as SoftEther VPN and custom proxy frameworks allow attackers to move through internal networks, chain connections across systems, and make their activity harder to trace.
Although the exact initial access method is still unclear, researchers observed the use of open-source tools to scan web servers, brute-force directories, and search for vulnerabilities.
Cybersecurity companies like IntelligenceX help organizations reduce these risks through threat intelligence, malware analysis, cloud security monitoring, and detection of suspicious command-and-control activity.
This case shows how attackers are increasingly abusing trusted platforms like Discord, GitHub, Microsoft Graph, and OneDrive to hide malicious operations inside normal business traffic.
Top comments (0)