Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
GraphWorm Malware Utilizes OneDrive for Stealthy Control

GraphWorm Malware Utilizes OneDrive for Stealthy Control

Posted on May 20, 2026 By CWS

A China-aligned cyber threat group has advanced its attack strategies, showcasing its latest tool, GraphWorm, which strategically exploits Microsoft OneDrive for command-and-control operations. This sophisticated malware cleverly disguises its communication within a widely trusted cloud service, posing significant challenges to cybersecurity defenses.

Webworm: The Group Behind GraphWorm

The group known as Webworm has a history dating back to 2017 and has expanded its operations from Asia to European nations like Belgium, Italy, Serbia, and Poland. Recent activities also include targeting a university in South Africa, underscoring their broadening scope. Webworm has evolved from using known backdoors like McRat and Trochilus to more sophisticated tools, emphasizing stealth and custom-built solutions.

WeLiveSecurity, in collaboration with Cyber Security News, unveiled these developments, highlighting Webworm’s shift toward stealthier methods. The group’s toolset now includes GraphWorm, alongside a Discord-based backdoor, Choreerp, indicating a strategic pivot in their approach.

Stealthy Operations with GraphWorm

GraphWorm, written in Go, leverages Microsoft’s Graph API to operate exclusively through OneDrive, enabling it to mimic ordinary cloud traffic and evade detection. For each compromised system, a unique OneDrive folder is created to manage files, job instructions, and results from executed commands, effectively isolating each victim’s data.

The initial compromise often involves exploiting vulnerabilities via open-source tools like Nuclei and dirsearch. Additionally, the group has utilized a script targeting SquirrelMail’s known vulnerabilities, aiming to breach exposed web applications.

Expanding Proxy Network for Evasive Tactics

Beyond GraphWorm, Webworm has developed an extensive proxy infrastructure using both open-source and proprietary tools. This includes Wormsrp, a custom fork of the frp tool, and ChainWorm, which creates multiple proxy layers. These proxies, combined with tools like SmuxProxy and WormSocket, complicate efforts to trace cyber activities back to their origins.

The group has also exploited an Amazon S3 bucket to store configurations and exfiltrate data from government entities in Italy and Spain. Security experts advise vigilance in monitoring unusual cloud storage activities and unauthorized network connections.

The ongoing evolution of Webworm’s tactics, including its use of GraphWorm, highlights the critical need for enhanced cybersecurity measures and vigilance against sophisticated threats exploiting trusted platforms like Microsoft OneDrive.

Cyber Security News Tags:backdoor malware, China-aligned threat, cloud platform security, cloud security, command-and-control, cyber threat, Cyberattack, Cybersecurity, Go programming, GraphWorm, Malware, Microsoft Graph API, OneDrive, proxy network, Webworm

Post navigation

Previous Post: ICS Security Insights: Real-Life Challenges Unveiled
Next Post: AI-Powered Typosquatting Threatens Supply Chains

Related Posts

PoC Exploit Released for Sudo Vulnerability that Enables Attackers to Gain Root Access PoC Exploit Released for Sudo Vulnerability that Enables Attackers to Gain Root Access Cyber Security News
Securing the Cloud Best Practices for Multi-Cloud Environments Securing the Cloud Best Practices for Multi-Cloud Environments Cyber Security News
Alleged Ransomware Attack on Apple’s Second-Largest Manufacturer Luxshare Alleged Ransomware Attack on Apple’s Second-Largest Manufacturer Luxshare Cyber Security News
New Moonwalk++ PoC Shows How Malware Can Spoof Windows Call Stacks and Evade Elastic-Inspired Rules New Moonwalk++ PoC Shows How Malware Can Spoof Windows Call Stacks and Evade Elastic-Inspired Rules Cyber Security News
TP-Link Security Flaws Allow DoS Attacks on Cameras TP-Link Security Flaws Allow DoS Attacks on Cameras Cyber Security News
New Blitz Malware Attacking Windows Servers to Deploy Monero Miner New Blitz Malware Attacking Windows Servers to Deploy Monero Miner Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft Enhances Windows 11 OOBE with New Update
  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft Enhances Windows 11 OOBE with New Update
  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark