China APT Webworm Hides European Government Espionage Traffic Inside Discord and Microsoft Cloud
| Group | Webworm (China-aligned APT); linked to SixLittleMonkeys and FishMonger |
| Type | APT Campaign / Multi-stage Government Espionage |
| CVEs | CVE-2017-7692 (SquirrelMail post-authentication RCE, CVSS 8.5 β used for initial access against webmail targets) |
| Malware | EchoCreep (Go-based backdoor using Discord for C2); GraphWorm (.NET backdoor using Microsoft Graph API and OneDrive for C2); WormFrp, ChainWorm, SmuxProxy, WormSocket (custom proxy chain tools) |
| Score | π 8.5 High. Active nation-state espionage confirmed against multiple European government networks, using novel cloud service abuse to evade detection, with data exfiltrated from government infrastructure. |
| Observed | March 2024 (earliest EchoCreep test messages); active campaigns throughout 2025; publicly disclosed 20 May 2026 by ESET Research |
Overview
A China-aligned APT group tracked as Webworm has been running sustained espionage operations against European government organisations, deploying two new custom backdoors that use Discord channels and Microsoft OneDrive folders as their command-and-control infrastructure. ESET Research published full technical findings on 20 May 2026, detailing campaigns that targeted governmental entities in Belgium, Italy, Poland, Serbia, and Spain, as well as a university in South Africa.
Webworm has been active since at least 2022, when Symantec first reported on the group's use of well-known malware families including McRat and Trochilus. Since then, the group has systematically shed those legacy tools in favour of a purpose-built arsenal designed for long-term, low-noise access. The 2025 campaigns represent a significant escalation in tradecraft, with two entirely new backdoors, four custom proxy tools, and a deliberate strategy of blending malicious traffic into legitimate cloud service communications.
The two new backdoors at the centre of this campaign are EchoCreep and GraphWorm. EchoCreep, written in Go, routes all its command-and-control traffic through the Discord API, using AES-CBC-128 encrypted messages sent to private channels on attacker-controlled Discord servers. GraphWorm, written in .NET, uses the Microsoft Graph API exclusively, treating a compromised OneDrive tenant as both a command queue and an exfiltration staging area. Both approaches are designed to defeat network-layer detection tools that rely on identifying unusual or unknown destinations, since outbound HTTPS traffic to discord.com and graph.microsoft.com is routine in most enterprise environments.
For defenders, the core problem is that conventional domain-blocking and network monitoring approaches do not flag this traffic. Blocking discord.com or graph.microsoft.com wholesale is not practical in most organisations. The appropriate response involves detecting the underlying malware on endpoints, blocking known malicious file hashes, hunting for the persistence artefacts the group leaves behind, and monitoring for the specific process and network-access patterns that distinguish Webworm's tools from legitimate usage.
Key Details
Delivery Method β Web vulnerability scanning using nuclei and dirsearch, followed by exploitation of known webmail vulnerabilities; staging via a GitHub repository disguised as a WordPress fork
Target β Government organisations in Belgium, Italy, Poland, Serbia, and Spain; university in South Africa; more than 50 targets identified via active scanning
Functions
- Remote command execution via cmd.exe shell on compromised hosts
- File upload and download through Discord API (EchoCreep) and OneDrive (GraphWorm)
- Victim system fingerprinting on first execution, including hostname, IP, MAC, OS, and privilege level
- Data exfiltration through a compromised AWS S3 bucket, Discord attachments, and OneDrive directories
- Multi-hop proxy chain establishment across victim networks using WormFrp, ChainWorm, SmuxProxy, and WormSocket
- Credential dumping via SharpSecretsdump deployed from the compromised S3 bucket
- Virtual machine snapshot exfiltration from compromised government infrastructure
Obfuscation β All C2 communications AES-encrypted and base64-encoded before transmission; malware staged in a GitHub repository that is a direct fork of the legitimate WordPress repository; EchoCreep binary carries a modified timestamp to complicate forensic dating
Attack Vectors
Stage 1 β Reconnaissance: Webworm operators begin with active scanning of target web infrastructure using two open-source tools, dirsearch for directory and file brute-forcing and nuclei for automated vulnerability detection. ESET recovered operator bash history from an exposed proxy server, showing nuclei and dirsearch executed against 56 targets across Spain, Hungary, Belgium, Nigeria, the Czech Republic, and Serbia.
Stage 2 β Initial Access: Against a Serbian government target, operators used a proof-of-concept exploit for CVE-2017-7692, a post-authentication remote code execution vulnerability in the SquirrelMail webmail client (versions up to 1.4.22). The vulnerability stems from improper use of escapeshellcmd() in the Deliver_SendMail class, allowing injection of arbitrary command parameters when the Sendmail delivery method is in use. ESET found that Webworm first acquired the target's credentials before exploiting this flaw, suggesting credential harvesting or brute-force preceded the RCE step.
Stage 3 β Backdoor Deployment and Persistence: Once inside, operators download backdoor payloads directly from a GitHub repository disguised as a fork of the official WordPress project (github[.]com/anjsdgasdf/WordPress). Tools are placed within the wp-admin directory to blend with legitimate repository structure. EchoCreep establishes persistence via a scheduled task named MicrosoftSSHUpdate. GraphWorm persists through Windows registry Run keys and executes on every user logon, collecting host information and registering a unique victim ID derived from the network adapter IP, processor ID, and physical device serial number concatenated together.
Stage 4 β Lateral Movement and Exfiltration: Operators deploy the custom proxy suite (WormFrp, ChainWorm, SmuxProxy, WormSocket) to build multi-hop encrypted tunnels both internally and externally, using cloud servers hosted on Vultr and IT7 Networks infrastructure. WormFrp retrieves its configuration from a compromised third-party AWS S3 bucket, meaning configuration updates occur without any direct attacker-to-victim communication. Data exfiltration occurs via Discord file attachments (EchoCreep), OneDrive uploads through the Microsoft Graph API (GraphWorm), and directly to the compromised S3 bucket. ESET confirmed that files exfiltrated from a Spanish government entity included mRemoteNG saved configuration files containing remote connection settings and a Microsoft Visio diagram of the entity's domain infrastructure.
Known Indicators of Compromise
Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.
File Hashes (SHA-1)
| Filename | Hash | Detection | Description |
|---|---|---|---|
SearchApp.exe | CB4E50433336707381429707F59C3CBE8D497D98 | WinGo/Agent.ZK | EchoCreep backdoor, Discord C2 |
ssh.exe | 1DF40A4A31B30B62EC33DC6FECC2C4408302ADC7 | WinGo/HackTool.Proxy.AE | WormFrp proxy tool |
svc.exe | 7DCFE9EE25841DFD58D3D6871BF867FE32141DFB | MSIL/HackTool.Proxy.H | WormHole proxy tool |
C2OverOneDrive_v0316.exe | 77F1970D620216C5FFF4E14A6CCC13FCCC267217 | Win32/Agent.VWD | GraphWorm backdoor, Graph API C2 |
MessengerClient.exe | 948159A7FC2E688386864BEA59FD40DFFC4B24D6 | MSIL/HackTool.Proxy.I | WormSocket proxy tool |
dsocks.exe | A3C077BDF8898E612CCD65BC82E7960834ADB2A9 | WinGo/Riskware.Iox.L | SmuxProxy, custom iox with hardcoded IP |
IP Addresses
| IP | Hosting Provider | First Seen | Role |
|---|---|---|---|
45.77.13[.]67 | Vultr Holdings, LLC | 2025-04-07 | WormSocket web socket server |
64.176.85[.]158 | The Constant Company, LLC | 2025-06-28 | SmuxProxy server |
104.243.23[.]43 | IT7 Networks Inc | 2025-04-09 | SmuxProxy server |
108.61.200[.]151 | Vultr Holdings, LLC | 2025-04-10 | WormFrp proxy server |
144.168.60[.]233 | IT7 Networks Inc | 2025-06-30 | Reverse shell endpoint |
Domains and Infrastructure
| Indicator | Type | Notes |
|---|---|---|
wamanharipethe.s3.ap-south-1.amazonaws[.]com | Compromised AWS S3 bucket | WormFrp config retrieval and data exfiltration |
github[.]com/anjsdgasdf/WordPress | GitHub staging repository | WordPress fork used to stage tools and malware |
Persistence Artefacts
| Artefact | Type | Backdoor |
|---|---|---|
MicrosoftSSHUpdate | Scheduled Task | EchoCreep |
| Registry Run key modifications | Registry | GraphWorm |
beacon_shell_output.txt (temp directory) | Temporary file | GraphWorm (shell output staging) |
config.dat | Configuration file | GraphWorm (on-disk configuration) |
MITRE ATT&CK Techniques
| Technique ID | Technique Name | Application in This Campaign |
|---|---|---|
| T1595.002 | Active Scanning: Vulnerability Scanning | Nuclei used to scan 56+ government targets for exploitable web services |
| T1102.002 | Web Service: Bidirectional Communication | EchoCreep uses Discord API; GraphWorm uses Microsoft Graph API for C2 |
| T1053.005 | Scheduled Task/Job: Scheduled Task | EchoCreep persists via MicrosoftSSHUpdate scheduled task |
| T1547.001 | Boot or Logon Autostart: Registry Run Keys | GraphWorm persists via Windows registry Run keys |
| T1567.002 | Exfiltration Over Web Service: Cloud Storage | GraphWorm exfiltrates data to OneDrive via Microsoft Graph API |
| T1090.003 | Proxy: Multi-hop Proxy | ChainWorm and WormSocket chain proxies across multiple hosts |
| T1608.002 | Stage Capabilities: Upload Tool | Tools staged in forked WordPress GitHub repository |
| T1584.006 | Compromise Infrastructure: Web Services | Compromised AWS S3 bucket used for WormFrp config and exfil |
Mitigation and Prevention
Block Known Malicious File Hashes
Add all six SHA-1 hashes documented in the IOC section to your endpoint detection and response (EDR) blocklist immediately. The filenames (SearchApp.exe, ssh.exe, svc.exe) are chosen to impersonate legitimate Windows binaries, so hash-based detection is more reliable than filename-based rules.
Hunt for the MicrosoftSSHUpdate Scheduled Task
Run a sweep across your Windows estate for any scheduled task named MicrosoftSSHUpdate. This task name is hardcoded by EchoCreep and is not associated with any legitimate Microsoft software. Presence of this task should be treated as a confirmed indicator of compromise.
Monitor Outbound API Traffic to Discord and Microsoft Graph
Deploy network inspection rules that log, rather than block, outbound HTTPS connections to discord.com and graph.microsoft.com from server operating systems and service accounts, where such traffic has no legitimate business purpose. Webworm's backdoors use crafted HTTP requests to these APIs, which will stand out from normal user-initiated traffic patterns when baseline-compared over time.
Audit Registry Run Keys for Unfamiliar Executables
GraphWorm persists via Run keys in the Windows registry. Conduct a baseline audit of all Run key entries across critical systems and investigate any entry pointing to an executable in an unusual or temporary directory path. Authorise only known-good entries and flag deviations.
Patch or Decommission SquirrelMail Instances
CVE-2017-7692 is a nine-year-old vulnerability with a public proof-of-concept exploit. If your organisation runs any SquirrelMail instance on a version earlier than the April 2017 patch, treat it as actively exploitable. Webworm has demonstrated willingness to use this vulnerability against governmental webmail targets. Decommissioning legacy webmail in favour of a maintained platform eliminates this attack surface entirely.
Audit GitHub Repository Downloads on Managed Endpoints
Webworm stages its malware in a GitHub repository disguised as a WordPress fork. Review endpoint telemetry for curl or wget commands downloading from github.com to disk locations outside of known developer workflows. The specific staging path observed includes a wp-admin directory, but future campaigns may vary the path.
Review AWS S3 Bucket Permissions and Access Logs
Webworm used a misconfigured or compromised S3 bucket as a configuration server and exfiltration channel. Review all S3 buckets in your AWS account for public access policies that should not exist. Enable CloudTrail and S3 server access logging, and alert on any GET or PUT operations from IP addresses outside your expected operational ranges.
Restrict Cloud Proxy Infrastructure by ASN
The majority of Webworm's proxy servers are hosted on two ASNs: Vultr Holdings and IT7 Networks. If your organisation has no legitimate connectivity requirements to these providers, consider implementing firewall rules to block or alert on outbound traffic to their IP ranges. Cross-reference with the specific IPs listed in the IOC section above.
Risk Assessment
Webworm's 2025 campaigns represent a maturation of Chinese APT tradecraft that security teams need to take seriously, particularly those responsible for protecting government networks in Europe. The decision to route C2 traffic through Discord and Microsoft OneDrive is not a technical novelty in isolation β other threat actors have experimented with cloud service abuse β but the level of operational discipline Webworm demonstrates here sets it apart. The group built entirely custom proxy tools, encrypted every communication channel, staged malware inside a legitimate-looking GitHub repository, and even leveraged a compromised victim's own AWS bill to fund the exfiltration infrastructure.
The confirmed victims include at least five European government entities across Belgium, Italy, Poland, Serbia, and Spain, with ESET recovering actual exfiltrated data, including remote connection configuration files and network infrastructure diagrams from a Spanish government entity. Virtual machine snapshots from an Italian government entity were also found in the compromised S3 bucket. These are high-value intelligence assets that give an adversary a detailed map of their target's internal network. The potential for follow-on exploitation based on the stolen mRemoteNG configurations alone is significant.
The targeting shift from Asia to Europe is consistent with broader patterns in Chinese state-sponsored espionage activity in 2025 and 2026, driven by geopolitical priorities including European security policy, military procurement, and diplomatic positioning. Organisations in the government, defence, and critical infrastructure sectors across Europe should treat this disclosure as a direct call to audit their environments against the IOCs published here.
Conclusion
The single most important action any defender can take today is to hunt for the MicrosoftSSHUpdate scheduled task and the six file hashes in the IOC section across all endpoints in their environment. If EchoCreep or GraphWorm has been deployed, those artefacts will be present.
What Webworm demonstrates here is the increasing irrelevance of network-perimeter defences against well-resourced state-sponsored actors. When your EDR tools are the last meaningful line of defence β because the attacker's C2 traffic is indistinguishable from a developer checking GitHub or an executive uploading to OneDrive β the only reliable detection strategy is endpoint telemetry, behavioural analysis, and proactive threat hunting. Organisations that have not yet invested in those capabilities are operationally blind to this threat class.
Sources
- ESET Research β Webworm: New burrowing techniques (20 May 2026)
- The Hacker News β Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API (May 2026)
- Infosecurity Magazine β China-Linked Webworm APT Evolves Tactics, Expands to European Targets (May 2026)
- GBHackers β GraphWorm Malware Abuses Microsoft OneDrive for Stealthy C2 Operations (May 2026)