Threat Research

Webworm: New burrowing techniques

ESET-welivesecurity
Webworm: New burrowing techniques
ESET researchers tracked Webworm, a China-aligned APT group that shifted from Asia to Europe in 2025 and expanded its toolkit with Discord-based EchoCreep and Microsoft Graph API-based GraphWorm backdoors. The group also relied on GitHub staging, custom proxy tools, and compromised cloud infrastructure such as an Amazon S3 bucket to support spying, exfiltration, and multi-hop proxying. #Webworm #EchoCreep #GraphWorm #SoftEtherVPN #MicrosoftGraphAPI #Discord #GitHub #AmazonS3

Keypoints

  • Webworm is a China-aligned APT group active since at least 2022 and has continuously changed its TTPs.
  • The group shifted its targeting from Asia toward Europe in 2025, including government entities in Belgium, Italy, Serbia, and Poland, plus a university in South Africa.
  • Webworm added two new backdoors in 2025: EchoCreep, which uses Discord for C&C, and GraphWorm, which uses Microsoft Graph API and OneDrive.
  • The operators staged tools and malware in GitHub repositories, including a forked WordPress repo used as a delivery point for artifacts.
  • Researchers decrypted more than 400 Discord messages and found reconnaissance activity against more than 50 unique targets.
  • Webworm used a compromised Amazon S3 bucket to retrieve configurations and exfiltrate victim data, including files taken from government environments.
  • The group increasingly uses legitimate or semi-legitimate proxy tooling, including SoftEther VPN, frp, iox, and custom tools such as WormFrp, ChainWorm, SmuxProxy, and WormSocket.

MITRE Techniques

  • [T1595.002 ] Active Scanning: Vulnerability Scanning – Webworm used nuclei to scan targets for vulnerabilities (‘used the open-source vulnerability scanner nuclei against targets’).
  • [T1595.003 ] Active Scanning: Wordlist Scanning – Webworm used dirsearch for directory brute forcing and web path discovery (‘used dirsearch, which leverages wordlists, to perform web directory scanning on targets’).
  • [T1588.006 ] Obtain Capabilities: Vulnerabilities – The group used publicly available exploit code for post-authentication RCE (‘used publicly available exploit code for post-authentication remote code execution’).
  • [T1583.004 ] Acquire Infrastructure: Server – Webworm’s proxy and web socket servers were hosted on cloud infrastructure (‘Servers for WormFrp, SmuxProxy, and WormSocket are hosted on cloud services’).
  • [T1583.003 ] Acquire Infrastructure: Virtual Private Server – The group used SoftEther VPN servers hosted on cloud services (‘SoftEther VPN servers that have been seen hosted on Vultr cloud services’).
  • [T1584.006 ] Compromise Infrastructure: Web Services – Webworm compromised S3 buckets and used web services for footholds (‘seen compromising S3 buckets as well as using tools like nuclei to find footholds’).
  • [T1608.002 ] Stage Capabilities: Upload Tool – The group staged tools in GitHub for direct download (‘staged tools in its GitHub repo for direct download onto compromised systems’).
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – EchoCreep and GraphWorm executed operator commands through cmd.exe (‘both use the Windows command line to execute operator commands’).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – EchoCreep was run through a custom scheduled task (‘executed under the custom-created MicrosoftSSHUpdate scheduled task’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – GraphWorm achieved persistence via Run keys (‘persists by making updates to registry Run keys’).
  • [T1070.004 ] Indicator Removal: File Deletion – GraphWorm removed a beacon file after upload (‘cleans up a created beacon file after successful upload’).
  • [T1112 ] Modify Registry – GraphWorm modified registry Run keys (‘makes modifications to registry Run keys for persistence’).
  • [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – EchoCreep and GraphWorm hid data with encryption and encoding (‘use encryption and encoding techniques to obfuscate data’).
  • [T1550.001 ] Use Alternate Authentication Material: Application Access Token – The backdoors used API keys to communicate with C&C infrastructure (‘use API keys to communicate with the C&C infrastructure’).
  • [T1078.004 ] Valid Accounts: Cloud Accounts – GraphWorm used a valid cloud account for Microsoft Graph access (‘uses a valid cloud account to access Microsoft Graph APIs’).
  • [T1070.006 ] Indicator Removal: Timestomp – EchoCreep altered timestamp attributes (‘contains a modified timestamp attribute’).
  • [T1021.007 ] Remote Services: Cloud Services – Webworm used a compromised S3 bucket as a remote file staging service (‘use as a file staging zone’).
  • [T1005 ] Data from Local System – EchoCreep and GraphWorm collected data from infected hosts (‘can collect data from the local system’).
  • [T1074.001 ] Data Staged: Local Data Staging – GraphWorm staged beacon files locally before upload (‘stages a beacon file locally before uploading’).
  • [T1074.002 ] Data Staged: Remote Data Staging – GraphWorm staged tasks and files in OneDrive (‘stages files and tasks within OneDrive via the Microsoft Graph API’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The backdoors and WormSocket used HTTP and WebSocket traffic (‘make use of HTTP and the WebSocket protocol’).
  • [T1132.001 ] Data Encoding: Standard Encoding – The tools used base64 encoding (‘make use of base64 encoding’).
  • [T1573.002 ] Encrypted Channel: Symmetric Cryptography – EchoCreep, GraphWorm, WormSocket, and WormFrp used AES for encryption (‘use AES in some capacity’).
  • [T1090.003 ] Proxy: Multi-hop Proxy – WormSocket and ChainWorm supported multi-hop proxying (‘create multiple proxy hops’).
  • [T1090.002 ] Proxy: External Proxy – Multiple tools connected to external proxies (‘have the capability to connect to external proxies’).
  • [T1090.001 ] Proxy: Internal Proxy – ChainWorm and WormSocket could create internal proxies (‘can create internal proxies’).
  • [T1102.002 ] Web Service: Bidirectional Communication – EchoCreep and GraphWorm used Discord and Microsoft Graph for C&C (‘use Discord and the Microsoft Graph API for C&C infrastructure’).
  • [T1041 ] Exfiltration Over C2 Channel – The backdoors exfiltrated data through their C&C channels (‘exfiltrate data to their respective C&C infrastructures’).
  • [T1567.002 ] Exfiltration Over Web Service: Exfiltration to Cloud Storage – GraphWorm exfiltrated data to OneDrive (‘exfiltrates data to OneDrive via the Microsoft Graph API’).

Indicators of Compromise

  • [SHA-1 ] malware samples associated with EchoCreep, WormFrp, WormSocket, GraphWorm, SmuxProxy, and related tooling – CB4E50433336707381429707F59C3CBE8D497D98, 1DF40A4A31B30B62EC33DC6FECC2C4408302ADC7, and other 4 hashes
  • [Filename ] staged or deployed binaries and tools – SearchApp.exe, C2OverOneDrive_v0316.exe, and other 4 filenames
  • [Domain ] compromised S3 bucket and staging/exfiltration endpoint – wamanharipethe.s3.ap-south-1.amazonaws[.]com, whpjewellers.s3.amazonaws[.]com
  • [IP Address ] proxy and infrastructure servers used by Webworm – 64.176.85[.]158, 45.77.13[.]67, and other 3 IPs
  • [GitHub Repository ] file-staging repository used by the group – https://github[.]com/anjsdgasdf/WordPress
  • [Cloud Service Path ] OneDrive and Microsoft Graph C&C staging paths – /createUploadSession, /me/drive/root:///:content
  • [File Name ] retrieved or exfiltrated artifacts and operator files – beacon_shell_output.txt, config.dat, and other 2 files
  • [Tool / Script Name ] reconnaissance and exploit artifacts found on operator hosts – _1.sh, SharpSecretsdump

Read more: https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint