Webworm, a China-aligned threat actor, has been actively deploying custom backdoors since at least 2022, targeting government agencies and enterprises in various sectors. In 2025, they introduced EchoCreep and GraphWorm, backdoors utilizing Discord and Microsoft Graph API for command-and-control (C2) communications. This marks a shift towards more stealthy tools compared to traditional RATs like Trochilus and 9002 RAT.
The use of a GitHub repository impersonating a WordPress fork as a staging ground for malware and tools like SoftEther VPN is a strategic move to blend in and avoid detection. Webworm has also been observed using SOCKS proxies and focusing on European countries, including governmental organizations in Belgium, Italy, Serbia, and Poland, as well as a local university in South Africa.
EchoCreep supports file upload/download and command execution, while GraphWorm is more advanced, capable of spawning new processes, uploading/downloading files from Microsoft OneDrive, and stopping its own execution. The discovery of these backdoors highlights Webworm's evolving tactics and their ability to adapt to new technologies.
The threat actor's reliance on open-source utilities for brute-forcing victim web servers and searching for vulnerabilities is concerning. Additionally, the availability of a BadIIS variant as malware-as-a-service (MaaS) further emphasizes the threat landscape's complexity. The malware author, operating under the alias 'lwxat', provides tools for automated deployment, ensuring survivability across IIS server restarts.
The implications of these developments are significant, as they demonstrate Webworm's ability to adapt, innovate, and maintain a persistent presence in targeted networks. As cybersecurity researchers continue to uncover these threats, it is crucial to stay vigilant and proactive in defending against such sophisticated attacks.
