Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API
Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API
20 May 2026
Cybersecurity researchers have flagged fresh activity from a China-aligned threat actor known as Webworm in 2025, deploying custom backdoors that employ Discord and Microsoft Graph API for command-and-control (C2 or C&C) communications.
Webworm, first publicly documented by Broadcom-owned Symantec in September 2022, is assessed to be active since at least 2022, targeting government agencies