Webworm: New burrowing techniques

ESET researchers analyzed the 2025 activity of Webworm, a China-aligned APT group that initially targeted organizations in Asia but has now shifted its focus to Europe. This is our first public blogpost on the group, although we have been monitoring Webworm’s activities since Symantec first reported on them in 2022. Over the years, we have observed that this threat actor consistently changes its tactics, techniques, and procedures (TTPs).

Webworm is associated with other China-aligned APT groups like SixLittleMonkeys and FishMonger. While it previously used well-known malware families such as McRat (aka 9002 RAT) and Trochilus, it has recently started utilizing existing and custom proxy tools, which are more discreet than traditional backdoors. In 2025, Webworm introduced two new backdoors to its arsenal: EchoCreep, which utilizes Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose. The group is also known for hosting its malware and tools in GitHub repositories, making it easy to download malware directly onto victims’ machines.

Key points of the blogpost:

  • Webworm has been updating its toolset and targets since its discovery in 2022.
  • In 2025, the group started using backdoors that leverage Discord and Microsoft Graph API for C&C communication.
  • ESET researchers decrypted over 400 Discord messages and a bash history file found on an operator server containing reconnaissance commands used against more than 50 unique targets.
  • Aside from backdoors, Webworm also uses various existing and custom proxy tools.
  • The group stages its malware on GitHub.

We attribute the 2025 campaign to Webworm based on the information we uncovered after decrypting Discord messages used by the EchoCreep backdoor for C&C communication. This information led us to the attackers’ GitHub repository, where we found staged artifacts like the SoftEther VPN application. Within the SoftEther configuration file, we identified an IP address matching a known Webworm IP.

Affected victims from the countries mentioned in this blogpost have been notified accordingly. Additionally, identified services such as a GitHub repository and an S3 bucket have been shut down.

Evolving approach

In 2022, Webworm primarily used established backdoors and remote access trojans (RATs) like McRat and Trochilus, targeting Asian countries as detailed in the Symantec blogpost.

By 2024, the group shifted away from traditional backdoors towards legitimate or semi-legitimate tools such as SOCKS proxies (SoftEther VPN) and other networking solutions. While these tools help Webworm evade detection, they lack the full command set typical of backdoors, requiring operators to rely on command interpreters like cmd.exe or powershell.exe.

During this time, Webworm also decreased operations in Asia and redirected its focus to European countries. This trend continued in 2025, with observed attacks targeting governmental organizations in Belgium, Italy, Serbia, Poland, and a university in South Africa.

In the latest campaigns, Webworm abandoned Trochilus and McRat while expanding its toolset. Notable additions include two new backdoors: EchoCreep using Discord and GraphWorm using Microsoft Graph API. Alongside existing proxy solutions, such as Go-written iox and frp, custom proxy tools like WormFrp, ChainWorm, SmuxProxy, and WormSocket were introduced.

These custom proxy tools encrypt communications and support chaining across multiple hosts internally and externally, potentially creating a larger hidden network for Webworm. The group’s proxies and VPN services operate on cloud servers controlled by Vultr and IT7 Networks. Given the number and complexity of proxy tools, Webworm may be expanding its network by tricking victims into running its proxies.

Discord and Microsoft Graph API C&C communication

In 2025, Webworm began exploiting Discord and Microsoft Graph API for C&C communication. Analysis of the EchoCreep backdoor revealed over 400 Discord messages and four unique channels corresponding to different victims. EchoCreep uses Discord for file uploads, sending runtime reports, and receiving commands, with network communication through crafted HTTP requests utilizing Discord APIs.

Regarding GraphWorm, which utilizes Microsoft Graph API for C&C communication, it exclusively employs OneDrive endpoints to fetch new tasks and upload victim data. Each victim has a separate OneDrive directory, and the backdoor leverages the Microsoft Graph API endpoint /createUploadSession to upload large staged files from the cloud-hosted OneDrive instance.

Amazon S3 bucket

In the 2025 campaigns investigation, we found that Webworm utilized its custom proxy solution WormFrp to retrieve configurations from a compromised Amazon S3 bucket at wamanharipethe.s3.ap-south-1.‌amazonaws[.]com. Amazon S3 is a public cloud storage service in Amazon Web Services, and we suspect the compromised bucket is the publicly accessible version of whpjewellers.s3.amazonaws[.]com.

Initial examination of the bucket’s contents revealed snapshots from virtual machine hosts, including one with the configuration and active state of a machine from an Italian governmental entity. This suggests that the operators may have successfully breached the environment managing the victim’s virtual machines or gained access to a host storing snapshots.

In both scenarios, it is evident that Webworm can exfiltrate data through the S3 bucket while an unsuspecting victim bears the cost of the service.

By late October 2025, threat actors uploaded a file named SharpSecretsdump to the S3 bucket, which mimics the activity of the infamous secretsdump.py tool to extract credentials from Windows hosts. This tool was likely uploaded by Webworm operators for use against their targets.

Between December 2025 and January 2026, the operators uploaded 20 new files to the service, including two exfiltrated from a governmental entity in Spain. These files contained sensitive information about the entity’s virtual hosts configurations and infrastructure details.

GitHub repository

During the investigation of EchoCreep’s Discord C&C infrastructure, unique identifiers related to users, channels, and guilds were retrieved. Despite limited access to the bot’s token, no API calls were found to identify server or bot owners.

Discord messages led to the discovery of a GitHub repository acting as a file stager for Webworm tools and malware. This repository, a direct fork of the legitimate WordPress repository, was used to hide malicious tools in plain sight.

Figure 1. Forked WordPress repository
Figure 1. Forked WordPress repository

Infiltration Techniques

While the initial entry point used by Webworm remains unknown, the group employs open-source utilities to scrape web server files and directories for vulnerabilities.

Analysis of a victim machine communicating with a proxy server revealed the use of open-source utilities like dirsearch and nuclei to search for vulnerabilities. These tools were used to brute force directories and files within web servers to identify potential weaknesses.

Figure 2. Open directory listing
Figure 2. Open directory listing

Webworm operators utilized dirsearch and nuclei to scan web servers in various countries for vulnerabilities, as evidenced by the stored results in the .dirsearch directory.

The group also leveraged a proof-of-concept exploit for CVE-2017-7692 against a Serbian webmail target, indicating potential access to victim credentials.

Toolset

This blogpost delves into the new tools added to Webworm’s arsenal, including custom backdoors like EchoCreep and GraphWorm, as well as proxy solutions such as WormFrp, ChainWorm, SmuxProxy, and WormSocket.

EchoCreep

EchoCreep, a backdoor written in Go, uses Discord as a C&C server to execute various commands. The backdoor’s network communication is encrypted and decrypted using base64 and AES-CBC-128, respectively.

The backdoor was observed uploading files to Discord, downloading files from URLs, executing shell commands, and sleeping for a specified duration before reporting back to the C&C server.

While the method of initial compromise remains unclear, EchoCreep achieves persistence post-compromise through C&C commands.

Decrypting over 400 Discord messages revealed the extent of victims compromised by EchoCreep based on channel names, which often included victim IP addresses or a combination of IP address and hostname.

After identifying four unique channels following this naming convention, we suspect there are four victims involved.

During the initial execution of EchoCreep, it did not create a new channel but instead sent an “Up Success” message to an existing channel, indicating that the channels were set up before the backdoor was activated. This suggests that the operators either had prior knowledge of the targets or obtained the necessary information after gaining initial access.

Figure 5. EchoCreep Discord Up Success message
Figure 5. EchoCreep Discord Up Success message

Figure 6. EchoCreep backdoor Up Success message
Figure 6. EchoCreep backdoor Up Success message

The initial messages sent from March 21st, 2024 to March 31st, 2025 seemed to be test commands from the operators. Figure 7 displays some local IP configuration details left behind by the threat actors.

Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : lan
Link-local IPv6 Address . . . . . : fe80::2111:d79b:b1ba:1f4a%10
IPv4 Address. . . . . . . . . . . : 192.168.8.174
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.8.1

Figure 7. Windows ipconfig output

Several of the early messages contained random values, possibly used for communication testing purposes, as shown in Figure 8.

Figure 8. Junk commands
Figure 8. Junk commands

Subsequently, we observed download operations like those depicted in Figure 9, indicating the progression to more advanced commands.

Figure 9. frp download
Figure 9. frp download

Furthermore, in Figure 10, we see testing actions that may have been early versions of the persistence mechanism eventually used by Webworm against victims. It is noteworthy that the “run” command was executed instead of the later employed “shell” command, supporting the idea that these were preliminary tests.

Figure 10. Test VBScript
Figure 10. Test VBScript

The first actual compromise occurred on April 9th, 2025, with new Up Success messages linked to a new channel name appearing in the logs. Shortly after the initial compromise, the threat actor utilized shell commands to run curl for file downloads.

GraphWorm

GraphWorm is another newly discovered backdoor used by Webworm. It self-executes when the victim logs into the machine and utilizes the Microsoft Graph API for C&C communication, indicating the establishment of new infrastructure by Webworm to target victims, storing data within a Microsoft Graph tenant. Based on our observations, the backdoor relies exclusively on OneDrive for receiving commands and transmitting victim data. The data exchanged in these communications is initially encrypted with AES-256-CBC using OpenSSL EVP library calls and then base64 encoded. GraphWorm also allows for proxy configurations, enabling traffic to pass through a specified proxy server.

Upon first execution, the backdoor generates a unique victim ID by combining the network adapter IP, processor ID, and physical device serial number through the WMI framework.

This unique ID is used to rename or create a new OneDrive folder within the tenant. Each folder is specific to a compromised victim and contains distinct subfolders for files, command execution results, and queued jobs for the operators, respectively.

After successfully creating the folder, the backdoor gathers details about the victim machine, resulting in the JSON object shown in Figure 11.


"Host Name": "<computer_name>",
"IP Address": "<ip>",
"MAC Address": "<mac>",
"Operating System": "<os>",
"Privilege": "<Admin

Figure 11. Configuration structure

The commands received by GraphWorm via OneDrive are outlined in Table 2, in the order of discovery.

Table 2. GraphWorm commands

Command Arguments Description
keyExchange String <adminPublicKey> This value is set in memory with an unclear purpose, possibly related to setting a public key for reverse shell access.
sessionKey String <sessionKey> String <keyId> Another set of values stored in memory, assumed to be an RSA private key and AES key for cryptographic functions.
kill N/A Stops the backdoor execution.
shell N/A Spawns a new cmd.exe instance.
exec File path Runs a new process using CreateProcessW.
upload String <onedrive_path> String <agent_path> Downloads a file based on the specified OneDrive and agent paths. The <onedrive_path> represents the full path in OneDrive, formatted as /me/drive/root:/<onedrive_path>, while the <agent_path> is the full file path on disk.

In our investigation, we discovered that after executing shell commands, the output was stored in a file named beacon_shell_output.txt in a temporary directory. To upload these outputs, it is likely that the operators utilized the Microsoft Graph API endpoint /createUploadSession due to the integration with OneDrive.

WormFrp

WormFrp is a tool that acts as a proxy tunneling utility, derived from the fast reverse proxy (frp) tool used by Webworm. This enhanced version of frp retrieves its configuration from a compromised Amazon S3 bucket, wamanharipethe.s3.ap-south-1.amazonaws[.]com.

The compromised S3 bucket houses AES encrypted files with .txt extensions, encrypted in ECB mode. Each instance of WormFrp is assigned a unique AES key to fetch a specific file from the S3 bucket, updating its configuration during runtime to report back to the operator.

To operate, WormFrp requires a command line argument. Once configured, it establishes connections to an frp server, creating a reverse proxy and TCP SOCKS5 proxy with randomly generated username and password combinations.

ChainWorm

ChainWorm is another custom proxy tool used by Webworm to expand its network infrastructure. This tool facilitates the chaining of proxies by opening a port on the host machine, enabling specifically crafted data to be sent through the port to connect to remote systems for multiple hops.

Typically, ChainWorm sets a hardcoded port on the host machine to establish TCP connections for receiving transmissions that lead to outbound connections to remote systems. By connecting to each hop in the chain using the provided hostname and port, data is forwarded through the chain.

SmuxProxy

SmuxProxy is derived from iox, a tool for port forwarding and intranet proxying, with added functionalities for hardcoded server IP addresses and ports. This tool simplifies deployment for operators by generating random keys and initialization vectors for encrypted communications.

WormSocket

WormSocket is a proxy tool that utilizes servers running socket.io for web request proxying. It offers a configurable and scalable proxy network, allowing interactions with specific nodes at any given time.

Configuration for WormSocket involves both hardcoded values and command line arguments, with optional parameters for basic authentication URIs. Upon startup, WormSocket connects to predefined IP addresses and ports using various schemes, spawning asynchronous tasks for message handling. Table 3 provides detailed descriptions of the four possible message types. These message types include:
1. InitiateForwarderClientReq
2. InitiateForwarderClientRep
3. SendDataMessage
4. CheckInMessage

Each message type has specific values and descriptions associated with it. These messages are used in a communication protocol to facilitate the exchange of data between different components. If you have any questions about this service, feel free to check out the ESET Threat Intelligence page for more information.

IoCs

If you’re looking for a complete list of indicators of compromise (IoCs) and samples, head over to our GitHub repository.

Files

Check out the table below for details on specific files:


SHA-1 Filename Detection Description
CB4E50433336707381429707F59C3CBE8D497D98 SearchApp.exe WinGo/Agent.ZK EchoCreep backdoor using Discord for C&C.

Network

Explore the network details in the table below:


IP Domain Hosting provider First seen Details
N/A wamanharipethe.s3.ap-south-1.amazonaws[.]com N/A 2025-04-14 Compromised S3 for frp configurations and data exfiltration.

MITRE ATT&CK techniques

Delve into the MITRE ATT&CK techniques in the table below:


Tactic ID Name Description
Reconnaissance T1595.002 Active Scanning: Vulnerability Scanning Webworm utilized the open-source vulnerability scanner nuclei against targets.

For more details and insights, make sure to visit the ESET Threat Intelligence page. Stay informed and stay protected!

Rewrite the given sentence with the correct grammar. Rewrite the given sentence, please.

Leave a Reply

Your email address will not be published. Required fields are marked *