Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

Researchers observed activity in 2025 from the China-aligned APT "Webworm," which added two custom backdoors—EchoCreep (Discord-based C2) and GraphWorm (Microsoft Graph API-based C2)—and is increasingly using SoftEther VPN, custom proxy tools, and chaining to evade detection while targeting government and enterprise organizations across Asia, Europe, and Africa; the report also highlights a BadIIS malware-as-a-service offering linked to Chinese-speaking cybercriminals.