Summary

The article discusses the latest activities of Webworm, a China-aligned threat actor, which has been deploying custom backdoors named EchoCreep and GraphWorm. These backdoors utilize Discord and Microsoft Graph API for command-and-control communications.

Key Points

• Webworm is a China-aligned threat actor first documented by Symantec in September 2022.
• The group has been active since at least 2022, primarily targeting government agencies.
• In 2025, Webworm deployed custom backdoors called EchoCreep and GraphWorm.
• These backdoors leverage Discord and Microsoft Graph API for C2 communications.

Analysis

The deployment of EchoCreep and GraphWorm highlights the evolving tactics of threat actors in utilizing popular platforms like Discord and Microsoft Graph API for malicious activities. This strategy not only complicates detection but also underscores the necessity for enhanced monitoring of legitimate services that can be exploited for cyber threats.

Conclusion

IT professionals should prioritize monitoring network traffic for unusual activities involving Discord and Microsoft Graph API. Implementing robust security measures and staying informed about emerging threats like Webworm can help mitigate potential risks.