Webworm, a China-aligned threat actor active since at least 2022, has expanded its 2025 toolkit with EchoCreep and GraphWorm backdoors that use Discord and Microsoft Graph API for stealthy C2 communications. The group continues targeting government and enterprise victims across Asia and Europe while relying on custom proxies, SoftEther VPN, and shared tools like dirsearch and nuclei to hide activity and expand access. #Webworm #EchoCreep #GraphWorm #SoftEtherVPN
Keypoints
- Webworm added EchoCreep and GraphWorm to its 2025 toolset.
- EchoCreep uses Discord for command-and-control communications.
- GraphWorm uses Microsoft Graph API and can work with OneDrive.
- The group targets governments and enterprises in Asia and Europe.
- Cisco Talos also reported a BadIIS MaaS offering with SEO fraud features.
Read More: https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html