Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API
Summary
A China-aligned threat actor known as Webworm is deploying custom backdoors, EchoCreep and GraphWorm, that utilize Discord and Microsoft Graph API for command-and-control communications. Webworm has been active since at least 2022, targeting government agencies.
IFF Assessment
FOE
The deployment of new backdoors by a threat actor poses a threat to network defenders.
Defender Context
Defenders should be aware of Webworm's TTPs, including their use of Discord and Microsoft Graph API for C2 communications. Organizations should monitor network traffic for unusual activity involving these services. Staying updated on threat intelligence regarding Webworm and similar threat actors is crucial.