Webworm, a China-aligned threat actor, has been actively deploying custom backdoors since at least 2022, targeting government agencies and enterprises in various sectors. In 2025, they introduced EchoCreep and GraphWorm, backdoors utilizing Discord and Microsoft Graph API for command-and-control (C2) communications. This marks a shift towards more stealthy tools, as Webworm has been moving away from traditional backdoors and towards semi-legitimate utilities like SOCKS proxies.
The use of a GitHub repository impersonating a WordPress fork as a staging ground for malware and tools like SoftEther VPN is a notable tactic. This approach, adopted by several Chinese hacking groups, helps them blend in and fly under the radar. EchoCreep supports file upload/download and command execution, while GraphWorm is more advanced, capable of spawning new processes, uploading/downloading files from Microsoft OneDrive, and stopping its own execution upon operator signal.
The discovery of these backdoors highlights Webworm's expanding arsenal, even as they appear to have abandoned Trochilus and 9002 RAT. Other tools in their repertoire include iox and custom proxy solutions like WormFrp, ChainWorm, SmuxProxy, and WormSocket. These tools enable encrypted communications and chaining across multiple hosts, enhancing the group's stealth and operational capabilities.
The initial access pathway and delivery methods of these backdoors remain unknown, but Webworm utilizes open-source utilities for brute-forcing victim web servers and searching for vulnerabilities. This comes as Cisco Talos sheds light on a BadIIS variant, sold or shared among Chinese-speaking cybercrime groups, offering a malware-as-a-service model for continuous monetization.
The threat actor's activities raise concerns about the evolving tactics and capabilities of state-sponsored actors, emphasizing the need for robust cybersecurity measures and ongoing threat intelligence to mitigate potential risks and protect sensitive information.
