Full Report
Cybersecurity researchers have flagged fresh activity from a China-aligned threat actor known as Webworm in 2025, deploying custom backdoors that employ Discord and Microsoft Graph API for command-and-control (C2 or C&C) communications. Webworm, first publicly documented by Broadcom-owned Symantec in September 2022, is assessed to be active since at least 2022, targeting government agencies
Analysis Summary
# Threat Actor: Webworm
## Attribution & Identity
* **Identification:** Webworm is a China-aligned threat actor, first publicly documented by Symantec in September 2022.
* **Aliases & Overlaps:** The group is assessed to have significant overlaps with other China-nexus clusters including:
* **FishMonger** (aka Aquatic Panda)
* **SixLittleMonkeys** (known for Mikroceen malware)
* **Space Pirates**
## Activity Summary
* **2025 Campaign:** Recent activity involves the deployment of custom backdoors (**EchoCreep** and **GraphWorm**) utilizing legitimate cloud services for Command-and-Control (C2).
* **Historical Context:** Active since at least 2022, historically utilizing modified Remote Access Trojans (RATs).
* **Operational Shift:** The actor is currently transitioning toward stealthier custom proxy tools and (semi-)legitimate utilities to evade detection, while expanding its geographic reach from Asia and Russia into Europe and Africa.
## Tactics, Techniques & Procedures
* **C2 via Cloud Services:** Utilizing Discord and Microsoft Graph API (via OneDrive) to blend malicious traffic with legitimate web traffic.
* **Proxy Chaining:** Deployment of custom proxy solutions to encrypt communications and chain across multiple internal and external hosts.
* **Staging:** Use of GitHub repositories impersonating legitimate projects (e.g., WordPress forks) to host malware.
* **Reconnaissance & Brute-force:** Use of open-source tools like `dirsearch` and `nuclei` to identify vulnerabilities and brute-force web server directories.
* **Living-off-the-Land (LotL):** Heavy reliance on SoftEther VPN and SOCKS proxies to maintain persistence and stealth.
## Targeting
* **Sectors:** Government agencies, IT services, Aerospace, Electric Power, and Education (Universities).
* **Geography:**
* **Original Focus:** Russia, Georgia, Mongolia, Belarus, and Central Asian nations.
* **Recent Expansion:** Belgium, Italy, Serbia, Poland, and South Africa.
* **Victims:** Specific mention of a local university in South Africa and governmental organizations across Europe.
## Tools & Infrastructure
* **Custom Backdoors:**
* **EchoCreep:** Uses Discord for C2; supports file upload/download and command execution.
* **GraphWorm:** Uses Microsoft Graph API; more advanced capabilities including OneDrive integration and process execution.
* **Proxy/Tunneling Tools:** WormFrp, ChainWorm, SmuxProxy, WormSocket, iox, and SoftEther VPN.
* **Legacy Malware (Phasing Out):** Trochilus RAT, Gh0st RAT, 9002 RAT (Hydraq/McRat), and Mikroceen.
* **Infrastructure:**
* github[.]com/anjsdgasdf/WordPress (Staging)
* Compromised Amazon S3 buckets (Configuration retrieval)
* Discord Channels (C2 infrastructure)
## Implications
Webworm demonstrates a high level of adaptability, shifting from "noisy" traditional RATs to sophisticated, modular proxy tools and legitimate cloud-based C2 channels (Discord/Microsoft). Their expansion into European government sectors indicates a strategic shift in Chinese intelligence requirements. The use of proxy chaining suggests an intent for long-term persistence and lateral movement within highly secured networks.
## Mitigations
* **Cloud Service Monitoring:** Implement rigorous monitoring or restrictions on the use of Discord and Microsoft Graph API within production environments.
* **GitHub/External Staging Alerts:** Monitor for suspicious downloads or connections to unconventional GitHub repositories, particularly those mimicking popular projects.
* **VPN Auditing:** Audit and restrict the installation of unauthorized VPN software like SoftEther and proxy tools (iox, FRP) on endpoints.
* **Vulnerability Management:** Regularly patch web-facing infrastructure to defend against automated scanning tools like `nuclei` used by the actor for initial access.