CYBERSECURITY researchers have flagged fresh activity from a China-aligned threat actor known as Webworm in 2025, deploying custom backdoors that use Discord and the Microsoft Graph API for command-and-control communications, according to ESET. Webworm, active since at least 2022, has targeted government agencies and enterprises across IT services, aerospace and energy sectors in Russia, Georgia, Mongolia and several other Asian nations.
Attacks attributed to the group have leveraged remote access Trojans such as Trochilus RAT, Gh0st RAT and 9002 RAT, and the actor is said to overlap with clusters tracked as FishMonger, SixLittleMonkeys and Space Pirates. In 2025 Webworm added two backdoors to its toolkit: EchoCreep, which uses Discord for C2, and GraphWorm, which uses Microsoft Graph API for the same purpose.
EchoCreep supports file upload/download and command execution via cmd[.]exe, while GraphWorm can spawn a new cmd[.]exe session, upload and download files to and from Microsoft OneDrive, and stop its own execution after a signal from operators. The Discord channel used by EchoCreep shows commands dating back to March 21, 2024, with 433 Discord messages observed on the C2 server, and investigators note the group also relies on open-source tools like dirsearch and nuclei for initial access attempts.