Researchers detail how the China‑aligned Webworm group has added two custom backdoors—EchoCreep, which talks over Discord, and GraphWorm, which uses the Microsoft Graph API—to its toolkit. The article explains the technical design, delivery chain, and mitigation steps for defenders.
Webworm’s newest backdoors: Discord‑based EchoCreep and Graph API‑driven GraphWorm
The cyber‑crime landscape saw a notable shift in early 2025 when the China‑aligned threat actor Webworm began deploying two custom backdoors that hide their command‑and‑control (C2) traffic inside services most organizations already trust. The first, EchoCreep, routes commands through a public Discord channel, while the second, GraphWorm, talks to the Microsoft Graph API and stores payloads on the attacker’s OneDrive account. Both tools extend a long‑running pattern of using legitimate cloud platforms to evade network detection.
Why the move matters
ESET senior researcher Eric Howard notes that “the group has been transitioning from traditional RATs to semi‑legitimate utilities that blend in with normal traffic.” By piggybacking on Discord’s WebSocket connections and Microsoft’s Graph endpoints, the backdoors inherit the same encryption, rate‑limiting, and authentication mechanisms that corporate firewalls typically allow.
- Discord: traffic appears as normal HTTPS to
discord.com, a domain rarely blocked in enterprise environments. EchoCreep embeds commands in Discord messages and reads responses from the same channel, making it difficult for IDS/IPS solutions that rely on signature‑based detection. - Microsoft Graph API: GraphWorm uses OAuth‑2.0 tokens to authenticate against the victim’s Azure AD tenant, then interacts with OneDrive files as if a legitimate user were uploading or downloading data. The backdoor can also spawn a new
cmd.exesession on the compromised host, execute arbitrary processes, and self‑terminate on a specific signal.
Technical walk‑through
1. Staging infrastructure
Webworm’s infrastructure starts with a GitHub repository masquerading as a WordPress fork (github.com/anjsdgasdf/WordPress). The repo hosts:
- SoftEther VPN binaries for establishing a persistent tunnel.
- Custom proxy tools such as WormFrp, ChainWorm, and SmuxProxy.
- Build scripts that compile EchoCreep and GraphWorm with attacker‑controlled configuration values (Discord channel ID, Graph API client ID, etc.).
The use of SoftEther is intentional; the VPN runs over TCP port 443, further blending with legitimate HTTPS traffic.
2. Initial access
While the exact initial vector remains unclear, ESET observed the group leveraging open‑source scanners dirsearch and nuclei to enumerate web‑server directories and probe for vulnerable components (e.g., outdated PHP, exposed .env files). Successful findings lead to credential‑stuffing attacks against admin panels, after which the attacker uploads the SoftEther client and a small bootstrap script.
3. Deployment of EchoCreep
- The bootstrap script downloads the EchoCreep binary from the compromised S3 bucket referenced in the GitHub repo.
- EchoCreep reads a hard‑coded Discord bot token and joins a pre‑registered channel.
- Commands are encoded in base64 and posted as regular chat messages. The backdoor polls the channel every 30 seconds, decodes any new messages, and executes them via
cmd.exe. - File upload/download is achieved by sending the file contents as a base64 string in a Discord attachment; the backdoor writes the payload to disk before execution.
"The earliest Discord messages we captured date back to March 21 2024, showing a steady stream of commands for credential dumping and lateral movement," says ESET analyst Mia Chen.
4. Deployment of GraphWorm
- After EchoCreep establishes a foothold, it registers a new Azure AD application (client ID/secret stored on the attacker’s server).
- Using the victim’s refresh token, GraphWorm obtains an access token for the Microsoft Graph API.
- The backdoor creates a hidden folder in the victim’s OneDrive, uploading a PowerShell script that spawns a new
cmd.exesession. - Execution flow mirrors EchoCreep, but all command traffic travels as Graph API calls (
/me/drive/items/.../content). Because the API responses are JSON, they blend with normal OneDrive activity logs. - A special “stop” flag uploaded to the same folder tells GraphWorm to terminate itself, allowing the operators to clean up without leaving obvious artifacts.
Overlap with other China‑aligned groups
Webworm’s activity intersects with clusters tracked as FishMonger (Aquatic Panda), SixLittleMonkeys, and Space Pirates. All of these groups have been observed re‑using SoftEther VPN and custom proxy tools. The shift toward “legitimate‑looking” utilities mirrors a broader trend where threat actors favor proxy‑chains and VPN‑backed tunnels to hide C2 traffic.
Defense recommendations
| Area | Action | Why it helps |
|---|---|---|
| Network monitoring | Deploy TLS‑inspection for outbound traffic to discord.com and graph.microsoft.com. Look for anomalous WebSocket connections or Graph API calls from non‑interactive accounts. |
Allows visibility into encrypted payloads that would otherwise be opaque. |
| Identity hygiene | Enforce least‑privilege Azure AD app registrations. Require MFA for any app that requests Files.ReadWrite.All or User.ReadWrite.All scopes. |
Reduces the attack surface for GraphWorm’s token abuse. |
| Endpoint detection | Add YARA rules that flag binaries with hard‑coded Discord tokens or Graph API client IDs. Monitor processes that spawn cmd.exe from unusual parent processes (e.g., softether.exe). |
Provides early warning when the backdoor is executed. |
| Cloud configuration | Enable Azure AD sign‑in risk policies, and set conditional access to block sign‑ins from unfamiliar locations for service accounts. | Limits the ability of attackers to obtain valid OAuth tokens. |
| Threat hunting | Search for Discord message IDs or OneDrive file hashes associated with known samples (e.g., SHA256 d4c3…). Review S3 bucket access logs for unexpected downloads. |
Correlates indicators of compromise across multiple stages of the attack chain. |
Takeaway
Webworm’s adoption of Discord and Microsoft Graph API for C2 illustrates how threat actors are increasingly co‑opting everyday collaboration platforms to hide malicious traffic. Organizations that treat these services as “trusted” by default may inadvertently grant attackers a stealthy communication channel. By tightening network visibility, tightening Azure AD permissions, and adding endpoint signatures for the new backdoor binaries, defenders can disrupt the chain before the attackers achieve persistence.
For deeper technical details, see the full ESET analysis (PDF) and Cisco Talos’ BadIIS report linked below.
- ESET blog: Webworm adds EchoCreep and GraphWorm backdoors
- Cisco Talos: BadIIS MaaS platform overview
Comments
Please log in or register to join the discussion