Cybersecurity researchers have uncovered recent activity from **Webworm**, a threat actor with suspected ties to China, deploying custom backdoors that utilize **Discord** and **Microsoft Graph API** for command-and-control (C2) communications. ### Webworm's History and Evolution First documented by **Symantec** in September 2022, **Webworm** has been active since at least 2022. The group targets government agencies and enterprises in IT services, aerospace, and electric power sectors across Russia, Georgia, Mongolia, and various other Asian nations. Historically, **Webworm**'s attacks have involved remote access trojans (RATs) such as Trochilus RAT, Gh0st RAT, and 9002 RAT (aka Hydraq and McRat). Overlap exists between this threat actor and other China-nexus clusters, including FishMonger (aka Aquatic Panda), SixLittleMonkeys, and Space Pirates. SixLittleMonkeys is known for deploying Gh0st RAT and Mikroceen, targeting entities in Central Asia, Russia, Belarus, and Mongolia. "In recent years, it has started moving toward both existing and custom proxy tools, which are more stealthy than full-fledged backdoors," said **ESET** researcher Eric Howard. "In 2025, Webworm also added two new backdoors to its toolset: EchoCreep, which uses **Discord** for C&C communication, and GraphWorm, which uses **Microsoft Graph API** for the same purpose." ### New Backdoors: EchoCreep and GraphWorm **Webworm** uses a **GitHub** repository impersonating a **WordPress** fork ("github[.]com/anjsdgasdf/WordPress") as a staging ground for malware and tools like SoftEther VPN. This tactic aims to blend in and evade detection. The use of SoftEther VPN is a common approach among several Chinese hacking groups.  In the past two years, the adversary has shifted from traditional backdoors to semi-legitimate utilities like SOCKS proxies, with increasing focus on European countries, including governmental organizations in Belgium, Italy, Serbia, Poland, and Spain, and a local university in South Africa. The discovery of EchoCreep and GraphWorm highlights the evolution of **Webworm**'s toolset. While Trochilus and 9002 RAT appear to have been abandoned, other tools of note include iox and custom proxy solutions like WormFrp, ChainWorm, SmuxProxy, and WormSocket. WormFrp retrieves configurations from a compromised **Amazon S3** bucket. **ESET** notes that these custom proxy tools encrypt communications and support chaining across multiple hosts, both internally and externally. Operators likely use these tools with SoftEther VPN to conceal their activities. EchoCreep supports file upload/download and command execution via "cmd.exe," while GraphWorm is a more advanced backdoor capable of spawning new "cmd.exe" sessions, executing new processes, uploading/downloading files to/from **Microsoft OneDrive**, and terminating itself upon receiving a signal.  Analysis of the **Discord** channel used by EchoCreep for C2 reveals commands dating back to March 21, 2024, with a total of 433 **Discord** messages sent via the C2 server. ### Initial Access and Vulnerability Scanning The initial access pathway used by **Webworm** remains unknown. However, the attacker uses open-source utilities like dirsearch and nuclei to brute-force victim web server files and directories and search for vulnerabilities. ### BadIIS Malware-as-a-Service This disclosure coincides with **Cisco Talos**'s report on a BadIIS variant, likely shared or sold among Chinese-speaking cybercrime groups under a malware-as-a-service (MaaS) model. This offering, under development since at least September 30, 2021, allows for continuous monetization. The malware author, known as "lwxat," provides supplementary tools, including service-based installers, droppers, and persistence mechanisms, to automate deployment, ensure survivability across IIS server restarts, and evade detection. The service features a builder tool that allows threat actors to generate configuration files, customize payloads, and inject parameters into BadIIS binaries, enabling traffic redirection, reverse proxying, content hijacking, and backlink injection for malicious SEO fraud, according to **Talos** researcher Joey Chen.