HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Webworm Deploys EchoCreep and GraphWorm Backdoors via Discord and Microsoft Graph API, Targeting Government Agencies

Researchers have identified the China‑aligned Webworm group deploying new backdoors—EchoCreep and GraphWorm—that use Discord and Microsoft Graph API for command‑and‑control. The activity, observed in 2025, focuses on government agencies, highlighting the risk of legitimate cloud platforms being abused for malicious purposes.

LiveThreat™ Intelligence · 📅 May 20, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Webworm Deploys EchoCreep and GraphWorm Backdoors via Discord and Microsoft Graph API, Targeting Government Agencies

What Happened – In 2025 the China‑aligned threat actor Webworm released two custom backdoors, EchoCreep and GraphWorm. Both backdoors use Discord servers and the Microsoft Graph API as covert command‑and‑control (C2) channels, allowing operators to steer compromised hosts inside government networks.

Why It Matters for TPRM

  • Legitimate cloud services (Discord, Microsoft 365) are being weaponized, expanding the attack surface of any vendor that integrates these platforms.
  • Government agencies and their supply‑chain partners may inherit risk from a compromised third‑party C2 channel even without a direct breach of their own infrastructure.
  • Detection and mitigation require visibility into outbound traffic to SaaS APIs, not just traditional network ports.

Who Is Affected – Government agencies, contractors, and any organization that relies on Microsoft Graph API or Discord for collaboration, authentication, or automation.

Recommended Actions – Review and tighten Microsoft Graph API permissions, enforce MFA for all service accounts, monitor outbound Discord and Graph traffic for anomalies, update endpoint detection rules with EchoCreep/GraphWorm IOCs, and incorporate SaaS‑abuse monitoring into third‑party risk programs.

Technical Notes

  • Attack vector: Abuse of legitimate third‑party platforms (Discord, Microsoft Graph) for stealthy C2.
  • Backdoors: EchoCreep (Discord‑based) and GraphWorm (Microsoft Graph‑based).
  • Data types: Not publicly disclosed; focus is on remote control rather than immediate data exfiltration.
  • No known CVE – the threat relies on protocol misuse rather than software vulnerability.

Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →