Recent reports have unveiled fresh cyber activities from the China-aligned group known as Webworm. The threat actor has been active in 2025, deploying custom backdoors that exploit Discord and Microsoft Graph API for command-and-control communications. These developments highlight the evolving tactics of Webworm as it targets entities across Russia, Georgia, Mongolia, and other Asian countries.
Webworm’s Evolving Tactics and Targets
Originally documented by Symantec in September 2022, Webworm has been engaged in cyber espionage since at least 2022. Its targets include government bodies and businesses in sectors like IT services, aerospace, and electric power. The group’s operations reveal overlaps with other China-based clusters such as FishMonger, SixLittleMonkeys, and Space Pirates. Notably, SixLittleMonkeys is known for deploying Gh0st RAT, focusing on countries like Central Asia, Russia, and Mongolia.
ESET researcher Eric Howard notes that Webworm has shifted towards more discreet proxy tools, stepping away from traditional backdoors. This shift is evidenced by the introduction of EchoCreep and GraphWorm in 2025, which utilize Discord and Microsoft Graph API, respectively, for communications.
Undercover Tactics and Tools
Webworm’s strategy involves using a GitHub repository masquerading as a WordPress project to stage malware and tools like SoftEther VPN, enhancing their stealth. SoftEther VPN is a common choice among Chinese hacking groups for bypassing detection. Over the past two years, Webworm has moved towards semi-legitimate utilities such as SOCKS proxies, expanding their focus to European countries like Belgium, Italy, Serbia, and Poland.
The recent addition of EchoCreep and GraphWorm marks a significant expansion in Webworm’s arsenal, even though traditional tools like Trochilus and 9002 RAT have been abandoned. Other notable tools include custom proxy solutions such as WormFrp and SmuxProxy, with WormFrp retrieving configurations from a compromised Amazon S3 bucket.
Capabilities and Deliveries
EchoCreep is capable of file transfers and command execution, while GraphWorm offers advanced features like process execution and file management with Microsoft OneDrive. The exact methods used by Webworm to deploy these backdoors remain unclear, but the use of open-source utilities like dirsearch and nuclei indicates efforts to brute-force web server files and identify vulnerabilities.
This disclosure comes as Cisco Talos highlights a BadIIS variant, potentially shared among Chinese-speaking cybercriminals under a malware-as-a-service model since 2021. The malware author, known as “lwxat,” has provided additional tools to ensure persistence and evade detection.
As Webworm continues to enhance its cyber arsenal, the importance of vigilance and robust cybersecurity measures remains crucial for potential targets worldwide.
