ESET has documented Chinese-aligned threat actor Webworm adding two new custom backdoors to its toolset: EchoCreep, which uses a Discord channel for command-and-control, and GraphWorm, which routes C2 through the Microsoft Graph API and uploads exfiltrated files to OneDrive. Webworm is staging tools out of a GitHub repository disguised as a WordPress fork and has been observed targeting government organizations in Belgium, Italy, Serbia, Poland, Spain, and a university in South Africa. The earliest EchoCreep Discord commands date to March 21, 2024; about 433 messages have been sent through the channel. Initial access is still unclear, but dirsearch and nuclei are involved.
ESET disclosed GopherWhisper, a previously undocumented China-linked spy group active since at least November 2023 and targeting Mongolian government systems. The group's defining trick: instead of building its own command-and-control servers, it sends instructions through ordinary cloud services - private Slack channels, Discord servers, Outlook draft email folders, and the file.io file-sharing service. Because the malware traffic looks like normal Slack and Discord usage, network monitoring tools largely ignore it. ESET extracted thousands of operator messages from the attackers' own Slack and Discord workspaces, and even found a 'How to write RATs.txt' file in their Downloads folder.
Backfill from April 21: Anthropic confirmed an unauthorized Discord group quietly accessed Mythos - the company's most powerful AI cybersecurity tool, restricted to about 40 vetted partners including Apple, Microsoft, and Google. The group got in on the same day Mythos was announced (April 7) by piggybacking on a member who works at one of Anthropic's third-party contractors, then guessed the model's URL based on naming patterns from previously leaked information. Anthropic says the group used Mythos to build websites, not for attacks - but they had quiet access for two weeks. Mozilla used Mythos to find and patch 271 Firefox bugs.