Webworm APT Group Leverages Discord and Microsoft Graph API for Stealthy C2 Operations in 2025
Overview
In early 2025, cybersecurity researchers detected renewed malicious activity from a China-aligned advanced persistent threat (APT) group tracked as Webworm. This operation employs two custom backdoors—dubbed EchoCreep and GraphWorm—that abuse legitimate platforms such as Discord and Microsoft Graph API for command-and-control (C2) communications. The campaign primarily targets government agencies, signaling a sustained and evolving threat from a group that has been active since at least 2022.
Background: Who Is Webworm?
Webworm first came to public light in September 2022 when Broadcom-owned Symantec published a detailed analysis linking the group to China-aligned cyber espionage operations. The group is believed to have been operational since at least 2022, with a focus on infiltrating government networks in Asia and elsewhere. Symantec’s report described a mature toolkit and a careful approach to evasion, but until now, the group has maintained a relatively low profile compared to other Chinese APT actors.
The 2025 Campaign: Fresh Activity and Custom Backdoors
Researchers have now flagged a new wave of attacks in 2025 that deploy EchoCreep and GraphWorm. These backdoors are custom‑built to leverage widely used cloud services—Discord for messaging and Microsoft Graph API for accessing Office 365 and Azure resources—making their network traffic blend in with normal corporate activity. The choice of these platforms indicates a sophisticated understanding of modern network defenses and a desire to fly under the radar of security tools.
Technical Details of the Backdoors
EchoCreep Backdoor
EchoCreep uses Discord as its primary C2 channel. The malware connects to Discord’s API to read commands from a specific channel or direct message thread. Because Discord traffic is often allowed through corporate firewalls and is encrypted, EchoCreep’s communications appear as legitimate gaming or chat traffic. The backdoor can execute shell commands, upload and download files, and perform reconnaissance—all while hiding in plain sight. The use of Discord also grants the attackers a resilient and free infrastructure that is difficult to take down without impacting legitimate users.
GraphWorm Backdoor
GraphWorm exploits Microsoft Graph API, the unified endpoint for accessing data and intelligence in Microsoft 365, Azure, and Enterprise Mobility + Security services. By authenticating to Graph API with stolen credentials or tokens, GraphWorm can send and receive C2 instructions through emails, calendar events, or SharePoint files. This technique not only masks traffic as normal Office 365 usage but also gives attackers access to corporate data stored in Microsoft’s cloud. GraphWorm can escalate privileges, move laterally, and exfiltrate sensitive documents.
Why Legitimate Services Are Attractive for C2
Using services like Discord and Microsoft Graph API is a hallmark of modern APT tradecraft. These platforms offer strong encryption, high reliability, and low cost (often free). They are trusted by enterprises, so their traffic is rarely inspected or blocked. For Webworm, this means they can maintain persistent access to government networks without raising alarms. Moreover, if one channel is disrupted—for example, if a Discord server is taken down—the attackers can quickly pivot to another service or a different Graph API tenant.
Implications for Government Targets
Governments are attractive targets for espionage, and Webworm’s focus on such entities suggests a long‑term intelligence‑gathering mission. The use of dual backdoors gives the group flexibility: EchoCreep might be used for initial access and command execution, while GraphWorm provides deeper integration into Microsoft environments. This two‑pronged approach increases the likelihood of successful data theft. As of early 2025, researchers have confirmed active infections in several Asian government agencies, though the full scope remains unclear.
Conclusion and Mitigation Recommendations
The resurgence of Webworm underscores the need for organizations—especially government and critical infrastructure—to adopt a defense‑in‑depth strategy. Key recommendations include:
- Monitor outbound connections to Discord API endpoints and unusual Microsoft Graph API usage patterns.
- Implement behavioral analytics to detect anomalous API calls or login attempts.
- Enforce multi‑factor authentication and conditional access policies to protect cloud accounts.
- Conduct regular threat hunting for signs of EchoCreep or GraphWorm, such as unexpected scheduled tasks or PowerShell scripts invoking Discord Webhooks.
Staying informed about APT groups like Webworm is crucial. Security teams should review the latest indicators of compromise (IOCs) and ensure detection rules are updated. By understanding how threat actors abuse legitimate services, defenders can better anticipate and block these stealthy attack vectors.