NEWS
Webworm Buries Its Spy Tools in Discord and OneDrive Traffic
Researchers at the security firm ESET decrypted more than 400 chat messages tied to Webworm, a China-aligned cyber espionage group, and found something tidier than the usual hacker setup: an operation running almost entirely on cloud services that corporate IT teams already trust. The group has pulled back from its old hunting grounds in Asia and is now lifting files off government networks in Belgium, Italy, Poland, Serbia and Spain.
The plumbing is what makes this campaign hard to shut down. Discord chat channels, Microsoft’s Graph interface, a forked copy of WordPress sitting on GitHub and a hijacked Amazon storage account now carry the group’s commands and the documents it steals. On a busy government network, all of that looks like ordinary cloud work.
The Two Backdoors Hide Inside Discord and OneDrive Traffic
The 2025 campaigns introduced two custom backdoors, and both lean on platforms employees use every day. EchoCreep, written in the Go programming language, talks to attacker-run Discord channels to upload stolen files, send back status reports and pull down new commands. It scrambles those instructions with base64 encoding and AES-CBC-128 encryption, so anyone watching the traffic sees noise rather than orders.
GraphWorm is the more capable of the pair. It reaches Microsoft through the Graph API (the programming interface that apps use to read and write Microsoft 365 data) and parks its tasks in the victim’s OneDrive. For each infected machine it builds a dedicated folder with separate areas for jobs, files and results, encrypts the contents with AES-256, and can spawn a fresh command shell on the computer to run whatever the operators send. ESET laid out the mechanics in a full technical breakdown of the EchoCreep and GraphWorm backdoors.
| Backdoor | Communication channel | Encryption | Main actions |
|---|---|---|---|
| EchoCreep | Discord channels | AES-CBC-128 with base64 | Upload, download, run shell commands, sleep |
| GraphWorm | Microsoft Graph API via OneDrive | AES-256-CBC | Retrieve jobs, upload stolen data, open a new command shell |
Why Living off Trusted Services Beats a Hidden Server
For years, malware phoned home to obscure web addresses that security teams could spot and add to a blacklist. The newer toolset sidesteps that problem. Traffic to chat, cloud and code-hosting platforms rarely draws scrutiny, because blocking those domains would also break the legitimate work happening on the same network.
The tactic is spreading. Through 2024, Symantec and other researchers catalogued a run of backdoors, among them Grager, BirdyClient and a tool called Onedrivetools, all routing their command traffic through the Graph API and Microsoft’s cloud storage. Singapore’s Cyber Security Agency thought the pattern serious enough to publish a national advisory on Graph API abuse by attackers.
The appeal is practical. A basic OneDrive account is free, the connection is encrypted by default, and the stolen data sits behind Microsoft’s name instead of a server in a rented data centre. Cheap, trusted and hard to filter is a strong combination for a crew that wants to stay inside a network for months.
The Hunt Stretched from Brussels to a South African Campus
Webworm was first documented by Symantec in 2022, when it was reworking older remote access trojans against organisations in Asia. The group is also tracked under names such as Space Pirates. The newer activity points squarely at Europe.
ESET confirmed government victims in Belgium, Italy, Poland, Serbia and Spain, alongside a compromised university in South Africa. The reconnaissance ran wider still. A recovered command log showed the operators turning an open-source vulnerability scanner against more than 50 unique targets, probing systems in Spain, Hungary, Belgium, Nigeria, Czechia and Serbia for weak spots to approach.
“Through our analysis, we were fortunate enough to recover commands executed from a server that gave a view into the group’s potential initial access techniques, using an open-source vulnerability scanner as well as identifying some of its focused targets,” said Eric Howard, a malware researcher at ESET.
The recovered material gave investigators an unusually clear look at how victims were picked and profiled before any backdoor landed.
- 400+ command-and-control messages decrypted across four victim channels
- 50+ unique targets profiled with a public vulnerability scanner
- 20 stolen files uploaded to a hijacked cloud account in two months
A Hijacked AWS Bucket Where the Victim Paid the Bill
The strangest find sat inside Amazon’s cloud. Webworm’s custom proxy, WormFrp, pulled its configuration from a compromised AWS S3 bucket (S3 is short for simple storage service, Amazon’s basic file store) and then used the same bucket to hold data taken from victims. The account owner whose storage had been hijacked covered the cost.
During our investigation of the 2025 campaigns, we discovered that Webworm had started using its custom proxy solution WormFrp to retrieve configurations from a compromised AWS S3 bucket […] It is apparent that through this S3 bucket, Webworm can leverage data exfiltration while an unsuspecting victim foots the bill for the service.
That was Eric Howard again, describing how the group turned someone else’s cloud account into both a control panel and a dead drop.
The Italian Machine in the Snapshot
A review of files in the bucket turned up virtual machine snapshots, one holding the current configuration and live state of a computer belonging to an Italian government entity. For an espionage crew, a running machine’s saved state is close to a map of how a network is built and where the valuable systems sit.
What Left the Spanish Network
Over roughly two months spanning the end of 2025 and the start of 2026, 20 fresh files appeared in the bucket, two of them taken from a Spanish government body. One was an XML file holding saved connection settings from mRemoteNG, an open-source manager for remote sessions.
The other was a Microsoft Visio diagram mapping the infrastructure behind one of the organisation’s domains. Together they hand an intruder a ready-made blueprint of the target’s network, the kind of internal documentation that normally takes weeks of quiet probing to assemble.
Proxy Tools and a WordPress Decoy on GitHub
Stolen documents were only part of the goal. The sheer number of custom proxy tools suggests the group is also stitching victims into a larger hidden network, getting each compromised host to relay traffic for the next attack. ESET counted four of them in the recent campaigns:
- WormFrp, a reworked fast reverse proxy (frp) that pulls its settings from the hijacked Amazon account
- ChainWorm, which opens fixed ports to chain proxies across separate networks
- SmuxProxy, a tool with a hardcoded server address and built-in encryption
- WormSocket, which routes web requests through socket.io servers
The staging ground was equally low-key. The operators hid their tools in a GitHub repository forked from the open-source WordPress project, tucking malware into a wp-admin folder where it blended with normal-looking code. That repository is also how investigators closed the loop.
After decrypting the command channel, the team followed the trail to that GitHub project and a copy of SoftEther, an open-source VPN (virtual private network) application. A configuration file inside it carried an IP address that matched one already tied to Webworm, and that single reused address anchored the attribution. Every service in the chain, from chat to code host to cloud storage, was chosen for one reason: a defender would think twice before blocking it.
Frequently Asked Questions
What is Webworm?
Webworm is a China-aligned cyber espionage group active since at least 2022, when Symantec first documented it reworking older remote access trojans against targets in Asia. It is also tracked under names such as Space Pirates, and ESET’s 2025 research shows it has shifted toward government bodies in Europe.
How does the GraphWorm backdoor use Microsoft cloud services for control?
GraphWorm connects to Microsoft through the Graph API and uses cloud storage endpoints to take orders. For each infected machine it creates a dedicated folder with separate areas for jobs, files and results, encrypting the contents with AES-256 so the activity resembles ordinary Microsoft 365 traffic.
Which countries did the 2025 campaign target?
ESET confirmed government victims in Belgium, Italy, Poland, Serbia and Spain, plus a university in South Africa. Reconnaissance scanning reached wider, touching systems in Hungary, Nigeria and Czechia among more than 50 unique targets.
Why is this malware traffic hard to block?
The backdoors route commands through chat, cloud and code-hosting services that organisations rely on daily. Blocking those domains outright would disrupt legitimate work, so the malicious traffic blends into normal cloud activity and often slips past filtering.
How did ESET attribute the attacks to Webworm?
Researchers decrypted the malware’s command messages, which led them to a GitHub repository holding staged tools, including a SoftEther VPN application. A configuration file inside carried an IP address already linked to Webworm, tying the campaign back to the group.
Windows 11 Low Latency Profile Lands in KB5089573 Update
The Cat in the Hat: Rainy Day Mayhem Hits Consoles Oct 30
GTA 6’s Xbox Title ID Surfaces in Microsoft’s Backend
Acer Swift Air 14 Undercuts MacBook Air at $699, Skips Copilot+
Batman: Arkham Knight Goes Xbox Play Anywhere a Decade On
Meta Eyes Cloud Business to Challenge AWS, Azure, Google
Microsoft Build 2026 Skips Windows 12 for the AI Bet That Counts
MicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace
Obsidian Splits The Outer Worlds Free Upgrade by Platform
Microsoft 365 Copilot Redesign Bets Big on In-App Adoption
Windows 11 Low Latency Profile Lands in KB5089573 Update
Call of Duty Warzone Delisted on Xbox One and PS4 June 4
Mariachi Legends Hits Xbox Game Pass Day One in Late 2026
Xbox Game Pass Price Cut Works, But Ultimate Still Costs More
Microsoft Build 2026 Skips Windows 12 for the AI Bet That Counts
Microsoft 365 Copilot Redesign Bets Big on In-App Adoption
The Cat in the Hat: Rainy Day Mayhem Hits Consoles Oct 30
MicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace
Acer Swift Air 14 Undercuts MacBook Air at $699, Skips Copilot+
Windows 11 Emergency Updates: How One Recovery Bug Set the Pattern
-
NEWS5 hours agoWindows 11 Low Latency Profile Lands in KB5089573 Update
-
NEWS13 hours agoCall of Duty Warzone Delisted on Xbox One and PS4 June 4
-
NEWS9 hours agoMariachi Legends Hits Xbox Game Pass Day One in Late 2026
-
NEWS12 hours agoXbox Game Pass Price Cut Works, But Ultimate Still Costs More
-
NEWS6 hours agoMicrosoft Build 2026 Skips Windows 12 for the AI Bet That Counts
-
MICROSOFT 3657 hours agoMicrosoft 365 Copilot Redesign Bets Big on In-App Adoption
-
NEWS5 hours agoThe Cat in the Hat: Rainy Day Mayhem Hits Consoles Oct 30
-
NEWS6 hours agoMicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace