Cybersecurity researchers have identified new 2025 activity from the China-aligned threat actor Webworm, which is deploying sophisticated backdoors that leverage Discord and Microsoft Graph API for stealthy communications.

Key Points

• Webworm is utilizing two new custom backdoors, EchoCreep and GraphWorm, to facilitate command-and-control operations.
• The group targets government agencies and critical infrastructure sectors, including aerospace and electric power, across Asia and Europe.
• Attackers are increasingly shifting toward stealthy proxy tools like WormFrp and SoftEther VPN to evade detection within compromised networks.
• Malicious activity has been observed using a GitHub repository impersonating a WordPress fork to stage malware and various hacking utilities.
• Researchers noted that EchoCreep has sent over 400 commands to more than 50 unique targets since March 2024.

Why it Matters

The shift toward using legitimate cloud services like Discord and Microsoft OneDrive for command-and-control makes it significantly harder for security teams to distinguish malicious traffic from normal business operations. This evolution in tradecraft highlights a growing trend of state-aligned actors adopting stealthy, semi-legitimate tools to maintain long-term persistence within sensitive government and enterprise environments.