Webworm APT
Cybersecurity researchers have identified renewed operations linked to the China-aligned threat group known as Webworm, highlighting the deployment of sophisticated custom backdoors that abuse Discord and the Microsoft Graph API for Command-and-Control (C2) communications. The latest activity reflects a broader evolution in the group's operational strategy, emphasizing stealth, proxy-based infrastructure, and the misuse of legitimate platforms to evade detection.
Table of Contents
A Persistent Threat Targeting Critical Sectors
Publicly documented for the first time in September 2022, Webworm is believed to have been active since at least that year. The group has consistently targeted government institutions and enterprise organizations operating in sectors such as IT services, aerospace, and electric power. Victims have been identified across Russia, Georgia, Mongolia, and several Asian countries.
The threat actor has historically relied on remote access trojans including Trochilus RAT, Gh0st RAT, and 9002 RAT, also known as Hydraq or McRat. Security analysts have also linked the group's activity to several China-associated clusters, including FishMonger, SixLittleMonkeys, and Space Pirates. Among these, SixLittleMonkeys gained attention for using Gh0st RAT and the Mikroceen malware family against entities in Central Asia, Belarus, Russia, and Mongolia.
Shift Toward Stealthier Operations
Over the past two years, Webworm has gradually moved away from traditional malware frameworks in favor of stealth-oriented proxy utilities and semi-legitimate networking tools. The transition appears designed to reduce detection risks while maintaining persistent access within compromised environments.
In 2025, the group introduced two newly identified backdoors into its arsenal:
EchoCreep, which leverages Discord for command-and-control operations and supports file transfers alongside remote command execution through cmd.exe.
GraphWorm, a more advanced implant that communicates through the Microsoft Graph API and enables operators to create new cmd.exe sessions, launch processes, upload and download files through Microsoft OneDrive, and terminate its own execution upon receiving operator instructions.
Researchers also observed the use of a GitHub repository masquerading as a WordPress fork to host malware payloads and utilities such as SoftEther VPN. This tactic allows malicious infrastructure to blend into legitimate development activity, complicating detection efforts. The use of SoftEther VPN aligns with methods previously adopted by multiple Chinese cyber-espionage groups.
Expanding Geographic Reach and Proxy Infrastructure
Webworm's recent campaigns demonstrate an increasing focus on European targets, including government organizations in Belgium, Italy, Serbia, Poland, and Spain, as well as a university located in South Africa.
At the same time, the threat actor appears to be phasing out older malware families such as Trochilus and 9002 RAT in favor of custom proxy frameworks and tunneling tools. Additional utilities associated with the group include iox, WormFrp, ChainWorm, SmuxProxy, and WormSocket. Investigators found that WormFrp retrieves configuration data from a compromised Amazon S3 bucket.
These proxy tools are engineered to encrypt communications and support chained connections across internal and external systems, enabling attackers to route traffic through multiple hosts while concealing operational activity. Analysts believe these tools are frequently combined with SoftEther VPN to further obscure attacker movements and improve persistence.
Discord-Based Command Activity Reveals Operational Scale
Analysis of the Discord infrastructure used by EchoCreep revealed that command traffic dates back to at least March 21, 2024. Researchers identified 433 messages transmitted through the malicious Discord-based C2 environment, impacting more than 50 unique targets.
Although the precise initial access method remains unknown, investigators discovered that Webworm operators actively employ open-source reconnaissance and exploitation tools such as dirsearch and nuclei. These utilities are used to brute-force web server directories, identify exposed files, and scan for exploitable vulnerabilities.
Weak Evidence Linking Webworm to Space Pirates
Despite certain operational similarities, researchers caution that the connection between Webworm and the Space Pirates cluster remains inconclusive. Current overlap appears limited primarily to the use of publicly available RATs and shared tooling patterns, with insufficient evidence to establish a definitive relationship between the two threat groups.
