Webworm, a China-aligned threat actor, has been spotted deploying new backdoors in 2025, leveraging Discord and Microsoft Graph API for command-and-control (C2) communications. This marks a significant evolution in their tactics, as they shift away from traditional backdoors towards more stealthy methods. The group, first documented in 2022, has been targeting government agencies and enterprises in various sectors, including IT services, aerospace, and electric power, across multiple countries.
What makes this discovery particularly intriguing is the use of a GitHub repository impersonating a WordPress fork as a staging ground for malware and tools. This approach, combined with the reliance on SoftEther VPN, is a tried-and-tested method adopted by several Chinese hacking groups. The use of open-source utilities like dirsearch and nuclei for brute-forcing victim web servers and searching for vulnerabilities further highlights the sophistication of Webworm's operations.
The backdoors in question are EchoCreep and GraphWorm. EchoCreep supports file upload/download and command execution via 'cmd.exe' capabilities, while GraphWorm is a more advanced backdoor that can spawn a new 'cmd.exe' session, execute a newly created process, upload and download files to and from Microsoft OneDrive, and stop its own execution after receiving a signal from the operators. The discovery of these backdoors marks an expansion of Webworm's arsenal, even as some of their previous tools, like Trochilus and 9002 RAT, appear to have been abandoned.
The use of Discord and Microsoft Graph API for C2 communications is a significant development, as it allows for more stealthy and flexible command-and-control channels. The analysis of the Discord channel leveraged by EchoCreep reveals that the earliest commands were sent as far back as March 21, 2024, indicating a long-standing presence of this C2 channel. The sheer volume of Discord messages sent via the C2 server (433 messages) further underscores the scale and activity of Webworm's operations.
The disclosure of these backdoors comes at a time when Cisco Talos shed light on a BadIIS variant sold or shared among multiple Chinese-speaking cybercrime groups under a malware-as-a-service (MaaS) model. This highlights the interconnectedness of the cybercrime landscape and the potential for collaboration and sharing of tools and techniques among threat actors.
In conclusion, the emergence of Webworm's new backdoors, EchoCreep, and GraphWorm, showcases the group's adaptability and their ability to leverage emerging technologies for their malicious activities. As cybersecurity researchers continue to uncover these threats, it is crucial to stay vigilant and proactive in defending against such sophisticated attacks.
