Bottom line: Chinese-aligned hacker group Webworm is arming itself in 2025 with two new backdoors: EchoCreep leverages Discord, while GraphWorm uses Microsoft’s Graph API for command-and-control communications. The group is increasingly targeting European entities and using legitimate tools for obfuscation.
Cybersecurity firm ESET warns of new activity from Chinese-aligned hacker group Webworm, which is deploying custom-built backdoors in 2025. The new backdoors EchoCreep and GraphWorm use Discord and Microsoft’s Graph API for command-and-control communications.
Webworm, documented since September 2022 and active since at least 2022, targets government agencies and enterprises in Russia, Georgia, Mongolia and other Asian countries – particularly in the IT services, aerospace and electricity sectors.
The group has previously overlapped with other China-aligned hacker groups such as FishMonger and SixLittleMonkeys and used known remote access trojans such as Trochilus RAT and Gh0st RAT. However, Webworm is evolving: in 2025, the group has added two new backdoors – EchoCreep with Discord C2 communications and GraphWorm, which leverages Microsoft’s Graph API.
The attackers use a GitHub repository with WordPress branding (“github[.]com/anjsdgasdf/WordPress”) as a staging area for malware and tools such as SoftEther VPN to stay below the radar. In parallel, the group has shifted away from traditional backdoors toward legitimate utilities such as SOCKS proxies and is increasingly focusing on European targets, including government organizations in Belgium, Italy, Serbia, Poland and Spain.
EchoCreep supports file upload/download and command execution via cmd.exe. GraphWorm is a more advanced backdoor that can launch new cmd.exe sessions, execute processes, and upload and download files to Microsoft OneDrive. Analysis shows that Discord commands have been sent since March 2024 – a total of 433 messages on the C2 server. How exactly the backdoors are distributed remains unclear, but Webworm uses open-source tools such as dirsearch and nuclei to brute-force web servers.