Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

Cybersecurity researchers have documented fresh 2025 activity from Webworm, a China-aligned threat actor first tracked by Symantec in September 2022. The group deploys two custom backdoors named EchoCreep and GraphWorm that leverage Discord and Microsoft Graph API for command-and-control communications.

Webworm targets government agencies and has maintained operational activity since at least 2022. The use of Discord and Microsoft Graph API for C2 represents an evolution in the group's infrastructure approach. These channels allow attackers to blend malicious traffic with legitimate communication platforms, complicating detection by network defenders relying on traditional indicators of compromise.

EchoCreep and GraphWorm operate as custom-developed tools rather than off-the-shelf malware, indicating resource investment and operational maturity. Discord's popularity as a communication platform and Microsoft's Graph API's integration across enterprise environments make both attractive for attackers seeking to evade detection. Traffic to these services typically receives less scrutiny than direct connections to known malicious infrastructure.

The targeting of government agencies aligns with China-aligned threat actors' historical operational patterns. Such intrusions create persistent access for espionage, intellectual property theft, or preparation for coordinated attacks. Government networks contain classified information and operational details of national interest to foreign intelligence services.

Organizations should implement application-layer monitoring for suspicious Discord and Microsoft Graph API usage, particularly from systems lacking legitimate business need for these communications. Endpoint detection and response solutions should flag processes spawning from unusual parent processes or executing PowerShell commands that establish outbound connections to these services. Network segmentation limits lateral movement if initial compromise occurs. Administrators should enforce multi-factor authentication on Microsoft accounts and review OAuth consent grants for unusual third-party applications requesting Graph API access. Security teams should hunt for historical connections to Discord infrastructure or suspicious Graph API authentication patterns within their logs. The use of