Listen to this Post
Introduction
Cyber espionage groups continue evolving their techniques to stay ahead of security defenses, and one China-aligned advanced persistent threat group is showing exactly how modern cyber operations are changing. The threat actor known as Webworm has introduced a sophisticated malware platform called GraphWorm, designed to hide malicious activity inside trusted cloud services. By exploiting Microsoft OneDrive infrastructure through the Microsoft Graph API, attackers can blend malicious traffic into ordinary enterprise operations, making detection significantly more difficult.
Security researchers have observed a major shift in Webworm’s operational methods during 2025. Instead of relying on older malware families, the group is now deploying entirely new tools built for stealth, persistence, and large-scale cyber espionage campaigns targeting governmental institutions across Europe and other regions. The discovery highlights a broader cybersecurity trend where attackers increasingly abuse legitimate cloud ecosystems to avoid traditional security monitoring.
Webworm Introduces a New Generation of Malware
Security researchers from ESET uncovered a major expansion in Webworm’s cyber toolkit. Originally publicly documented in 2022, the group has been associated with cyber espionage activities linked to Chinese state-aligned operations and connected to threat clusters including SixLittleMonkeys and FishMonger.
Historically, Webworm relied heavily on malware families such as McRat, also known as 9002 RAT, and Trochilus. Those tools formed the backbone of earlier operations. However, researchers discovered that the organization has now abandoned older implants entirely.
In their place, Webworm deployed two newly developed backdoors written in Go programming language.
The first malware family, EchoCreep, uses Discord infrastructure for command-and-control communications. The second and more concerning platform, GraphWorm, leverages Microsoft Graph API services and specifically OneDrive endpoints to maintain covert communication channels.
Victims identified during the latest campaign include governmental organizations and institutions located in Belgium, Italy, Serbia, Poland, and South Africa.
The shift demonstrates a growing preference among advanced attackers toward abusing trusted cloud environments instead of operating dedicated command-and-control servers that security teams can more easily identify and block.
How GraphWorm Operates
GraphWorm establishes persistence by modifying Windows Registry Run keys. This allows the malware to execute automatically whenever a user logs into the infected system.
Upon execution, the malware creates a unique identification profile for the compromised machine. It gathers information including:
Network adapter IP address
Processor identification details
Physical hardware serial numbers
The malware combines these identifiers using Windows Management Instrumentation functionality to generate a victim-specific ID.
That identifier becomes central to Webworm’s infrastructure design.
GraphWorm automatically creates a dedicated OneDrive directory within attacker-controlled Microsoft cloud infrastructure. Inside that folder, three additional directories organize operations:
/files for transferred files
/result for collected command outputs
/job for operator task assignments
Every communication between infected systems and attacker infrastructure undergoes encryption using AES-256-CBC through OpenSSL EVP libraries before being encoded using Base64 for transmission.
This encryption layer helps conceal command activity while blending communications into legitimate Microsoft cloud traffic.
Full Remote Control Capabilities
GraphWorm provides operators with extensive remote management functionality.
Available commands include:
Shell execution through cmd.exe
Process execution
File uploads
File downloads
Process termination
Sleep timing modifications
Key exchange operations potentially supporting reverse shell functionality
The malware also includes optimization mechanisms for handling large amounts of data.
When shell output exceeds normal upload limits, GraphWorm uses Microsoft Graph API upload session functionality to transfer oversized files directly through OneDrive infrastructure.
After successful transfers, the malware removes local evidence by deleting temporary output artifacts, specifically files used to store shell command responses.
This cleanup process reduces forensic visibility and complicates post-incident investigations.
Legitimate Cloud Services Become the Perfect Cover
One of the most concerning aspects of GraphWorm is not simply what it does but where it hides.
Traditional network security monitoring often focuses on suspicious domains, uncommon destinations, or unusual outbound traffic patterns. GraphWorm bypasses many of these assumptions entirely.
Because communications travel through legitimate Microsoft 365 services, security tools may interpret malicious traffic as routine business operations.
Corporate networks heavily depend on Microsoft cloud infrastructure every day. Blocking OneDrive or Microsoft Graph API traffic outright is unrealistic for many organizations.
This gives attackers a powerful camouflage layer.
Cloud platforms have increasingly become attractive infrastructure choices for cyber espionage groups because they provide trust inheritance. Security teams generally allow these environments by default.
Webworm appears to be exploiting that trust model aggressively.
EchoCreep and Additional Infrastructure Discovery
Researchers also uncovered details surrounding EchoCreep, Webworm’s second major malware platform.
By decrypting more than 400 Discord messages tied to EchoCreep infrastructure, investigators identified multiple compromised systems through Discord channel naming conventions connected to victim hostnames and IP addresses.
The investigation uncovered another critical operational component.
Researchers identified a fake GitHub repository impersonating a legitimate WordPress project.
The repository functioned as malware staging infrastructure, allowing operators to distribute tools and payloads directly onto compromised environments.
Beyond malware deployment, Webworm also operated an extensive proxy and networking ecosystem.
Custom tools identified include:
WormFrp for encrypted configuration retrieval
ChainWorm for multi-hop proxy chaining
SmuxProxy, derived from open-source networking utilities
WormSocket for scalable socket-based proxy communication
Researchers further determined that cloud-hosted infrastructure supporting these operations ran on systems hosted through Vultr and IT7 Networks.
Indicators of Compromise
Researchers identified two primary malware components associated with the campaign:
GraphWorm Backdoor
SHA-1: 77F1970D620216C5FFF4E14A6CCC13FCCC267217
EchoCreep Backdoor
SHA-1: CB4E50433336707381429707F59C3CBE8D497D98
Threat intelligence indicators were intentionally defanged to prevent accidental activation or unintended connections outside controlled security environments.
What Undercode Say:
Webworm’s evolution reflects a larger cybersecurity reality that defenders can no longer rely solely on perimeter monitoring and domain reputation systems. Attackers increasingly exploit trusted infrastructure because enterprise environments are built around trust assumptions. Microsoft cloud services, Discord communications, GitHub repositories, and cloud hosting providers represent essential operational platforms for modern businesses. Threat actors understand this dependency.
The transition away from older malware families toward Go-based implants is also significant. Go malware continues growing in popularity because the language enables cross-platform compatibility, simplified deployment, and static compilation that complicates reverse engineering efforts.
GraphWorm demonstrates another important strategic shift: operational invisibility over operational complexity. Modern espionage malware no longer needs advanced kernel exploits to remain effective. Instead, attackers prioritize blending into ordinary traffic patterns.
This trend creates a difficult challenge for defenders.
Traditional intrusion detection systems often operate on anomaly detection models built around suspicious destinations or uncommon protocols. Malware using Microsoft cloud APIs breaks those assumptions.
Behavioral monitoring becomes increasingly critical.
Organizations may need stronger telemetry around API usage patterns, identity analytics, cloud service baselining, and endpoint visibility rather than relying exclusively on network signatures.
The use of Discord infrastructure is equally notable.
Cybercriminals and espionage groups increasingly weaponize mainstream communication platforms because blocking them can disrupt legitimate workflows. Security teams must distinguish business activity from attacker activity occurring within identical services.
The fake GitHub repository strategy highlights another growing concern: supply chain trust exploitation.
Developers and administrators often trust open-source repositories without extensive validation. Threat actors increasingly understand that impersonating legitimate projects can create highly effective malware delivery channels.
The multi-layer proxy architecture also demonstrates operational maturity.
Proxy chaining, encrypted relay infrastructure, and distributed cloud hosting reduce attribution opportunities while improving resilience against infrastructure takedowns.
Future cyber espionage campaigns will likely continue moving toward cloud-native attack models.
Defenders should expect more abuse involving SaaS platforms, API ecosystems, collaboration tools, and identity infrastructure.
Security visibility must evolve accordingly.
Organizations that continue treating cloud platforms as inherently trusted environments risk creating blind spots sophisticated attackers can exploit repeatedly.
Webworm’s newest campaign serves as another reminder that trust itself has become an attack surface.
Fact Checker Results
✅ Researchers identified Webworm deploying new malware families called GraphWorm and EchoCreep.
✅ GraphWorm abuses Microsoft Graph API and OneDrive infrastructure for command-and-control communications.
✅ The campaign targeted organizations across multiple countries including Belgium, Italy, Serbia, Poland, and South Africa.
Prediction
🔮 Cloud service abuse will continue increasing as advanced threat actors seek stealthier infrastructure.
🔮 Security products will place greater emphasis on API behavior analytics rather than traditional network-only monitoring.
🔮 Future espionage malware campaigns will increasingly combine trusted SaaS ecosystems with encrypted communications to reduce detection opportunities.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
