Ethical Hacking News
Webworm, a China-aligned threat actor, has been observed deploying custom backdoors utilizing Discord and Microsoft Graph API for command-and-control (C2 or C&C) communications. EchoCreep and GraphWorm are two new backdoors used by the threat actor, which demonstrate an expansion of their arsenal.
Stay informed about emerging threats and their TTPs as Webworm's sophisticated malware deployment poses a significant threat to global cybersecurity.
Webworm, a China-aligned threat actor, has deployed custom backdoors using Discord and Microsoft Graph API for command-and-control (C2 or C&C) communications.EchoCreep and GraphWorm are two new backdoors used by Webworm, expanding their arsenal.The use of custom proxy tools in conjunction with SoftEther VPN allows Webworm to cover their tracks and increase stealth.EchoCreep supports file upload/download and command execution via "cmd.exe" capabilities.GraphWorm is a more advanced backdoor that can spawn a new "cmd.exe" session, execute processes, and upload/downloads files to Microsoft OneDrive.Webworm's deployment of EchoCrepe and GraphWorm highlights the growing sophistication of cyber threats.
Cybersecurity researchers have identified a significant threat to global cybersecurity, as Webworm, a China-aligned threat actor, has been observed deploying custom backdoors that utilize Discord and Microsoft Graph API for command-and-control (C2 or C&C) communications. This latest development marks an expansion of Webworm's arsenal, highlighting the evolving nature of cyber threats in recent years.
Webworm, first publicly documented by Broadcom-owned Symantec in September 2022, is assessed to be active since at least 2022, targeting government agencies and enterprises spanning IT services, aerospace, and electric power sectors in Russia, Georgia, Mongolia, and several other Asian nations. The threat actor's activities have been linked to the deployment of remote access trojans (RATs) such as Trochilus RAT, Gh0st RAT, and 9002 RAT (aka Hydraq and McRat).
In a recent discovery, cybersecurity researchers at ESET identified two new backdoors used by Webworm: EchoCreep and GraphWorm. EchoCreep uses Discord for C2 communication, while GraphWorm leverages the Microsoft Graph API for the same purpose. The use of custom proxy tools in conjunction with SoftEther VPN has been observed, allowing the threat actor to better cover their tracks and increase the stealth of their activities.
EchoCreep supports file upload/download and command execution via "cmd.exe" capabilities, while Graphworm is a more advanced backdoor that can spawn a new "cmd.exe" session, execute a newly created process, upload and download files to and from Microsoft OneDrive, and stop its own execution after receiving a signal from the operators.
The deployment of EchoCreep and GraphWorm by Webworm marks an expansion of their arsenal, even as Trochilus and 9002 RAT appear to have been abandoned by the threat actor. Other tools of note include iox and custom proxy solutions such as WormFrp, ChainWorm, SmuxProxy, and WormSocket. WormFrp has been found to retrieve configurations from a compromised Amazon S3 bucket.
According to ESET, "These custom proxy tools are not only capable of encrypting communications, but also support chaining across multiple hosts both internally and externally to a network." The threat actor's use of open-source utilities such as dirsearch and nuclei has emerged as a means to brute-force victim web server files and directories, and search for vulnerabilities within.
The disclosure comes as Cisco Talos shed light on a BadIIS variant that is likely sold or shared among multiple Chinese-speaking cybercrime groups under a malware-as-a-service (MaaS) model designed for continuous monetization. The offering is believed to have been under development since at least September 30, 2021.
The same malware author, who operates under the alias "lwxat," has also made available a set of supplementary tools, including service-based installers, droppers, and persistence mechanisms that automate deployment, ensure survivability across IIS server restarts, and sidestep detection. The service offers a dedicated builder tool that allows threat actors to generate configuration files, customize payloads, and inject parameters into BadIIS binaries - enabling capabilities such as traffic redirection to illicit sites, reverse proxying for search engine crawler manipulation, content hijacking, and backlink injection for malicious search engine optimization (SEO) fraud.
The emergence of Webworm's custom backdoors highlights the growing sophistication of cyber threats in recent years. As cybersecurity researchers continue to monitor the threat landscape, it is essential to stay informed about emerging threats and their tactics, techniques, and procedures (TTPs). The deployment of EchoCreep and GraphWorm by Webworm serves as a reminder that the threat actor's arsenal continues to expand, and it is crucial for organizations to remain vigilant in defending against these threats.
Summary:
Webworm, a China-aligned threat actor, has been observed deploying custom backdoors utilizing Discord and Microsoft Graph API for command-and-control (C2 or C&C) communications. EchoCreep and GraphWorm are two new backdoors used by the threat actor, which demonstrate an expansion of their arsenal. The deployment of these backdoors highlights the growing sophistication of cyber threats in recent years, emphasizing the importance of staying informed about emerging threats and their TTPs.
Related Information:
https://www.ethicalhackingnews.com/articles/Webworms-Sophisticated-Malware-Deployment-A-Growing-Threat-to-Global-Cybersecurity-ehn.shtml
https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html
Published: Wed May 20 08:41:44 2026 by llama3.2 3B Q4_K_M
