WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection

The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors that communicate with its operators through legitimate services such as Discord and the Microsoft Graphh API, thus taking advantage of channels that often pass unnoticed between normal business traffic.

Webworm is not new; it was publicly documented for the first time in 2022 and in recent years has attacked government agencies and companies in critical sectors such as IT services, aerospace and electricity in countries of Asia and Europe. What changes now is the prioritization of tools that imitate or reuse legitimate utilities - SOCKS proxies, SoftEther VPN, and own proxy solutions - rather than relying exclusively on traditional RATs. This approach has the obvious objective of raising the sigilosity and making attribution and detection difficult.

Two new pieces of the arsenal discovered in 2025 illustrate this trend: a backdoor that uses Discord as a command and control channel - called EchoCreep - and another that abuses Microsoft GraphAPI - GraphWorm - with the ability to run commands, transfer files to and from OneDrive and self-deactivate as instructed by the operator. The choice of these platforms is not casual: both services offer rich APIs, encrypted traffic and a wide user base that facilitates the mixing of malicious traffic with legitimate activity.

In addition to the new backdoors, Webworm continues to use a combined strategy that includes the use of GitHub repositories used as lures or tool deposits and the exploitation of open source utilities (dirsearch, nuclei) to discover vulnerable web servers. Customized proxies have also been identified that allow for the channelling of internal and external hosts, and the recovery of configurations from committed cloud resources, such as Amazon S3 buckets. All this points to a chain of intrusion that prioritizes discreet persistence and controlled lateral mobility.

The operational implications for defence organizations and teams are clear: legitimate tools can become intrusion vectors and traditional defenses based on malware signatures or the blocking of suspicious domains lose efficiency. Detecting this type of attack requires richer telemetry (cloud APIs activity log, OAuth application records, endpoints telemetry and outgoing traffic correlation) and detection rules focusing on abnormal behavior and misuse of authorized services.

In practice, it is appropriate to review identity and access settings: to audit and restrict application permissions registered in Azure / Office 365, to apply consent policies for OAuth applications, to enable the blocking of unmanaged applications and devices, and to monitor the use of Microsoft Graph and OneDrive for unusual upload / download patterns. Microsoft offers documentation and guides on Graph that are useful to understand the vectors that the attackers abuse, and developers and administrators should review these points; more technical information is available in official documentation: Microsoft Graphh.

As for Discord, although it is a consumer-oriented communication platform, its APIs and webbooks can be reused as a C2 channel. Organizations should limit the possibility for automated processes or users to interact with external messaging services, monitor tokens and exposed credentials and complement with egress policies that restrict unnecessary outgoing connections. The documentation for Discord developers helps you understand the capabilities that can be exploited: Discord Developer Documentation.

The parallel appearance of a malware model offered as a service, illustrated by variants focused on IIS servers and automatic installation tools under a known forum alias, highlights another trend: the professionalization and marketing of malicious tools. Defence teams should combine technical measures with organizational procedures: web server hardening, WAF rules, credentials rotation, S3 bucket access login and regular review of repository and artifacts permits in GitHub and the like. Research and warning resources by industry remain essential; analysis of manufacturers and research centres for practical guides and IOC can be consulted on their portals, for example at threat analysis sites such as ESET - WeLiveSecurity and on big team threat intelligence blogs like Cisco Talos.

For SOC teams and security managers in the organizations, the immediate operational recommendation is to increase visibility about the use of third-party APIs and cloud applications, to implement atypical process creation and execution detection (e.g. cmd.exe spawn from unusual applications), to review access to cloud storage and outgoing traffic patterns, and to perform specific hunts looking for signs of use of chained proxies or tools such as SoftEther. In addition, the awareness of managers about public repositories that imitate legitimate projects and the review of devices downloaded from external repos should be part of the security programme.

In short, WebWorm's evolution shows that the perimeter is no longer enough: the attackers take advantage of legitimate services and administrative tools to hide their operations effective defence requires identity and cloud telemetry visibility, strict permit control and behaviour-based detection. Maintaining a proactive security position and updating monitoring and response processes is the best defense against these increasingly sophisticated threats.