Cybersecurity researchers have alerted to new activity by a Chinese-aligned threat actor known as the Webworm in 2025, deploying a custom backdoor that uses Discord and Microsoft Graph API for command and control (C2 or C&C) communications.
The webworm was first publicly documented by Broadcom-owned Symantec in September 2022 and is assessed to have been active since at least 2022, targeting government agencies and companies across the IT services, aerospace, and power sectors in Russia, Georgia, Mongolia, and several other countries in Asia.
Attacks launched by this group leverage remote access Trojans (RATs) such as Trochilus RAT, Gh0st RAT, and 9002 RAT (also known as Hydraq and McRat). This threat actor is said to overlap with China-related clusters tracked as FishMonger (also known as Aquatic Panda), SixLittleMonkeys, and Space Pirate. SixLittleMonkeys is best known for deploying RATs called Gh0st and Mikroceen, which targeted organizations in Central Asia, Russia, Belarus, and Mongolia.
“In recent years, we’ve started to see a shift toward both existing and custom proxy tools, which are more stealthy than full-fledged backdoors,” ESET researcher Eric Howard said. “In 2025, Webworm also added two new backdoors to its toolset: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose.”
Underlying these efforts is the use of GitHub repositories that masquerade as WordPress forks (“github”).[.]com/anjsdgasdf/WordPress”) is an effort to fly under the radar as a transit point for malware and tools like SoftEther VPN. Relying on SoftEther VPN is a proven approach taken by several Chinese hacking groups.
Over the past two years, we have observed that attackers have moved away from traditional backdoors to (semi) legitimate utilities such as SOCKS proxies, while also increasingly focusing on European countries such as government agencies in Belgium, Italy, Serbia, Poland, and Spain, as well as local universities in South Africa.
The discovery of EchoCreep and GraphWorm marks the expansion of the webworm arsenal while Trochilus and 9002 RAT appear to have been abandoned by threat actors. Other notable tools are iox and custom proxy solutions such as WormFrp, ChainWorm, SmuxProxy, and WormSocket. WormFrp was found to obtain its configuration from a compromised Amazon S3 bucket.
“These custom proxy tools can not only encrypt communications, but also support chaining across multiple hosts both inside and outside the network,” ESET said. “We believe carriers can use these tools in conjunction with SoftEther VPN to better cover tracking and make their activities more stealthy.”
While EchoCreep supports file upload/download and command execution via the “cmd.exe” functionality, GraphWorm is a more sophisticated backdoor that can spawn new “cmd.exe” sessions, run newly created processes, upload and download files to Microsoft OneDrive, and stop its own execution after receiving a signal from an operator.
Analysis of the Discord channel used by EchoCreep as a C2 shows that the oldest command was sent on March 21, 2024. A total of 433 Discord messages were sent via the C2 server.
How these backdoors are delivered and the initial access vector used by the webworm is currently unknown. However, it has been discovered that attackers are using open source utilities such as dirsearch and nuclei to brute force files and directories on victim web servers and search for vulnerabilities within them.
This disclosure comes after Cisco Talos revealed a BadIIS variant that is likely being sold or shared among multiple Chinese-speaking cybercrime groups under a malware-as-a-service (MaaS) model for ongoing monetization. The product is believed to have been in development since at least September 30, 2021.
The same malware author, operating under the alias “lwxat,” also made available a set of auxiliary tools including service-based installers, droppers, and persistence mechanisms to automate deployment, ensure survivability across IIS server reboots, and evade detection.
The service provides a proprietary builder tool that “allows attackers to generate configuration files, customize payloads, and inject parameters into BadIIS binaries, enabling features such as traffic redirection to illegal sites, reverse proxies for search engine crawler operation, content hijacking, and backlink injection for malicious search engine optimization (SEO) fraud,” said Talos researcher Joey Chen.
Source link
