Webworm EchoCreep & GraphWorm: Discord and Graph API as Spy Channels
When your SIEM alerts on suspicious C2 traffic, it looks for connections to known malicious domains, unusual external IPs, or darknet endpoints. It is not built to flag traffic to discord.com or graph.microsoft.com — because those are legitimate services your organization uses every day. That's exactly why Webworm chose them. In 2025, Webworm added two new backdoors to its toolset: EchoCreep, which uses Discord for C2 communication, and GraphWorm, which uses Microsoft Graph API for the same purpose.
Webworm, first publicly documented by Symantec in September 2022, is assessed to be active since at least 2022, targeting government agencies and enterprises spanning IT services, aerospace, and electric power sectors in Russia, Georgia, Mongolia, and several other Asian nations. Over the past two years, the adversary has been observed shifting its focus toward European countries including governmental organizations in Belgium, Italy, Serbia, Poland, and Spain.
This is the playbook that makes Webworm one of the most sophisticated China-aligned APTs in 2026 — and it demands a detection strategy that goes far beyond domain blocklists.
EchoCreep: Discord as a Command-and-Control Channel
How EchoCreep Operates
EchoCreep supports file upload and download and command execution via "cmd.exe" capabilities. An analysis of the Discord channel leveraged by EchoCreep as C2 shows that the earliest commands were sent as far back as March 21, 2024. In all, 433 Discord messages have been sent via the C2 server to more than 50 unique targets.
The operational elegance of Discord-based C2 is difficult to overstate. Every command sent to a compromised endpoint is delivered as a Discord message — indistinguishable from legitimate Discord traffic at the network layer. TLS encryption, legitimate certificates, and Discord's high-traffic CDN infrastructure combine to make payload delivery forensically invisible to signature-based detection.
The GitHub Staging Infrastructure
Underlying these efforts is the use of a GitHub repository impersonating a WordPress fork as a staging ground for malware and tools like SoftEther VPN in an effort to blend in and fly under the radar. The reliance on SoftEther VPN is a tried-and-tested approach adopted by several Chinese hacking groups.
Table: Webworm Tool Arsenal — 2025-2026
| Tool | Category | Function | Stealth Mechanism |
|---|---|---|---|
| EchoCreep | Backdoor | File transfer + cmd execution | Discord C2 channel |
| GraphWorm | Backdoor | Advanced persistence + OneDrive exfil | Microsoft Graph API C2 |
| WormFrp | Custom proxy | Encrypted tunneling | AWS S3 config retrieval |
| ChainWorm | Custom proxy | Multi-hop routing | Internal/external chaining |
| SmuxProxy | Custom proxy | Multiplexed connections | Protocol-level obfuscation |
| WormSocket | Custom proxy | Socket tunneling | TLS traffic blending |
| SoftEther VPN | Legitimate tool | LOTL persistence | Trusted commercial software |
GraphWorm: Microsoft Graph API as the Spy's Channel
Advanced Capabilities Beyond EchoCreep
GraphWorm is a more advanced backdoor that can spawn a new "cmd.exe" session, execute a newly created process, upload and download files to and from Microsoft OneDrive, and stop its own execution after receiving a signal from the operators.
The OneDrive integration is particularly significant forensically. Files exfiltrated to attacker-controlled OneDrive accounts traverse Microsoft's own infrastructure — the same CDN and API endpoints your organization's legitimate OneDrive traffic uses. Without Microsoft Graph API audit logging enabled and reviewed, this exfiltration channel is entirely invisible.
The Self-Termination Capability
GraphWorm's ability to stop its own execution on operator signal makes live forensic capture significantly more difficult. An analyst who detects anomalous behavior and begins investigation can trigger operator awareness — and the backdoor terminates before memory acquisition completes. This is a direct counter to standard incident response procedures.
Pro Tip: When investigating suspected Webworm activity, prioritize memory acquisition before any network containment action. Network isolation may inadvertently signal the operator to terminate GraphWorm before the memory dump captures the active payload. Acquire RAM first, contain second.
Table: EchoCreep vs GraphWorm — Capability Comparison
| Capability | EchoCreep | GraphWorm |
|---|---|---|
| C2 channel | Discord | Microsoft Graph API |
| File upload/download | Yes | Yes (OneDrive) |
| Command execution | cmd.exe | cmd.exe + new process creation |
| Self-termination | No | Yes (operator-signaled) |
| Persistence mechanism | Standard | Advanced |
| Detection difficulty | High | Very High |
Detection and Defense: Hunting Webworm TTPs
Microsoft Graph API Audit Logging — Your Primary Detection Layer
The single most effective detection control against GraphWorm is enabling and reviewing Microsoft Graph API audit logs — specifically for anomalous application registrations, unusual OAuth token grants, and unexpected OneDrive API access from non-standard endpoints.
Key detection queries to implement in your SIEM:
- Anomalous Graph API calls — filter for
https://graph.microsoft.comAPI requests from endpoint processes that are not authorized Microsoft applications - OneDrive upload spikes — alert on OneDrive API upload activity from endpoints outside business hours or above normal volume thresholds
- Discord process-network correlation — alert when
cmd.exechild processes have network connections todiscord.comendpoints - SoftEther VPN installation events — flag any SoftEther VPN installation on corporate endpoints as a high-fidelity Webworm indicator
MITRE ATT&CK Mapping for Webworm TTPs
Webworm uses open-source utilities like dirsearch and nuclei to brute-force victim web server files and directories and search for vulnerabilities within — combined with custom proxy tools capable of encrypting communications while supporting chaining across multiple hosts internally and externally.
Key ATT&CK techniques: T1102 (Web Service as C2), T1567.002 (Exfiltration to Cloud Storage), T1572 (Protocol Tunneling), T1505.003 (Web Shell), and T1021.001 (Remote Desktop Protocol for lateral movement).
Key Takeaways
- Enable Microsoft Graph API audit logging immediately — GraphWorm's entire exfiltration chain is invisible without this telemetry
- Alert on cmd.exe network connections to discord.com — this is a high-fidelity EchoCreep behavioral indicator
- Flag SoftEther VPN installations on any corporate endpoint as a Tier-1 Webworm indicator
- Acquire memory before network containment — GraphWorm self-terminates on operator signal; RAM capture must precede any action that alerts the attacker
- Expand detection beyond known-malicious domains — Webworm's entire C2 infrastructure runs on legitimate Microsoft and Discord endpoints that no domain blocklist will ever flag
- Review OneDrive API upload activity — unusual volume, timing, or source process is your primary indicator of GraphWorm exfiltration
Conclusion
Webworm's 2025-2026 evolution represents the maturation of a detection evasion philosophy that every enterprise security team must now counter: the complete abandonment of traditional C2 infrastructure in favor of legitimate cloud platforms. When your malware speaks Discord and your exfiltration rides the Microsoft Graph API, the entire defensive paradigm of domain blocklisting and IP reputation becomes irrelevant. The organizations that will detect EchoCreep and GraphWorm are those with behavioral analytics on cloud API traffic, Microsoft Graph audit logging, and process-to-network correlation in their detection stack. Build those capabilities now — Webworm has already been inside 50+ environments for over two years.
Frequently Asked Questions
Q: What is Webworm and what sectors does it target? A: Webworm is a China-aligned advanced persistent threat group active since at least 2022, targeting government agencies and enterprises in IT services, aerospace, and electric power sectors. In 2025-2026, the group expanded its targeting to include European governmental organizations in Belgium, Italy, Serbia, Poland, and Spain, and a South African university.
Q: How does EchoCreep use Discord for command-and-control? A: EchoCreep sends attacker commands to compromised endpoints through a Discord channel — using Discord's legitimate HTTPS infrastructure as the C2 channel. Commands appear as Discord messages, making them indistinguishable from normal Discord traffic at the network level. The backdoor executes these commands locally via cmd.exe and returns results through the same channel.
Q: What makes GraphWorm more dangerous than EchoCreep? A: GraphWorm uses the Microsoft Graph API — the same API your organization's legitimate Microsoft 365 services use — for C2 and exfiltrates files to attacker-controlled OneDrive accounts. It also supports operator-triggered self-termination, meaning it can destroy evidence of its presence when analysts begin investigating. This combination makes detection, capture, and attribution significantly more difficult than EchoCreep.
Q: What is the primary detection method for GraphWorm? A: Enabling Microsoft Graph API audit logging and analyzing it for anomalous application access patterns, unexpected OAuth token grants, and unusual OneDrive upload activity from endpoint processes that are not standard Microsoft applications. Additionally, correlating cmd.exe and child process network connections to graph.microsoft.com endpoints — particularly outside business hours — provides behavioral detection that signature-based tools cannot replicate.
Q: What MITRE ATT&CK techniques cover Webworm's C2 methodology? A: T1102 (Web Service — using cloud services for C2), T1567.002 (Exfiltration to Cloud Storage — OneDrive exfiltration), T1572 (Protocol Tunneling — custom proxy tools), T1059.003 (Windows Command Shell — cmd.exe execution), and T1136 (Create Account — for persistence in compromised environments) are the primary techniques. Webworm's proxy chaining maps to T1090 (Proxy) with the multi-hop variant documented in their custom WormFrp and ChainWorm tools.
Enjoyed this article?
Subscribe for more cybersecurity insights.