Webworm Chinese APT adds EchoCreep (Discord C2) and GraphWorm (MS Graph API C2) backdoors, targets European governments
ESET has documented Chinese-aligned threat actor Webworm adding two new custom backdoors to its toolset: EchoCreep, which uses a Discord channel for command-and-control, and GraphWorm, which routes C2 through the Microsoft Graph API and uploads exfiltrated files to OneDrive. Webworm is staging tools out of a GitHub repository disguised as a WordPress fork and has been observed targeting government organizations in Belgium, Italy, Serbia, Poland, Spain, and a university in South Africa. The earliest EchoCreep Discord commands date to March 21, 2024; about 433 messages have been sent through the channel. Initial access is still unclear, but dirsearch and nuclei are involved.
- Check
- Search outbound traffic and EDR logs for connections to Discord webhook and CDN domains and Microsoft Graph API endpoints from unexpected hosts. Look for SoftEther VPN binaries on European-government endpoints.
- Affected
- Government organizations in Belgium, Italy, Serbia, Poland, Spain, and a South African university - Webworm's known European targets. The Graph and Discord C2 patterns also apply to other Chinese APTs.
- Fix
- Block Webworm GitHub staging repos and ESET-published IoCs. Restrict outbound Discord and Graph API usage where not a legitimate business need. Hunt for dirsearch and nuclei scan signatures.