Webworm Deploys EchoCreep and GraphWorm Backdoors via Discord and Microsoft Graph API, Targeting Government Agencies
What Happened – In 2025 the China‑aligned threat actor Webworm released two custom backdoors, EchoCreep and GraphWorm. Both backdoors use Discord servers and the Microsoft Graph API as covert command‑and‑control (C2) channels, allowing operators to steer compromised hosts inside government networks.
Why It Matters for TPRM –
- Legitimate cloud services (Discord, Microsoft 365) are being weaponized, expanding the attack surface of any vendor that integrates these platforms.
- Government agencies and their supply‑chain partners may inherit risk from a compromised third‑party C2 channel even without a direct breach of their own infrastructure.
- Detection and mitigation require visibility into outbound traffic to SaaS APIs, not just traditional network ports.
Who Is Affected – Government agencies, contractors, and any organization that relies on Microsoft Graph API or Discord for collaboration, authentication, or automation.
Recommended Actions – Review and tighten Microsoft Graph API permissions, enforce MFA for all service accounts, monitor outbound Discord and Graph traffic for anomalies, update endpoint detection rules with EchoCreep/GraphWorm IOCs, and incorporate SaaS‑abuse monitoring into third‑party risk programs.
Technical Notes –
- Attack vector: Abuse of legitimate third‑party platforms (Discord, Microsoft Graph) for stealthy C2.
- Backdoors: EchoCreep (Discord‑based) and GraphWorm (Microsoft Graph‑based).
- Data types: Not publicly disclosed; focus is on remote control rather than immediate data exfiltration.
- No known CVE – the threat relies on protocol misuse rather than software vulnerability.
Source: The Hacker News