A China-aligned advanced persistent threat group, tracked as Webworm, has been updating its arsenal with new custom tools and backdoors since 2025, ESET reported.
The cybersecurity firm says that Webworm, previously associated with China-linked groups SixLittleMonkeys and FishMonger, has shifted from the McRat (9002 RAT) and Trochilus remote access trojans to lightweight proxy infrastructure and cloud-based command-and-control (C&C) mechanisms designed to evade detection.
Among new additions are two backdoors called EchoCreep and GraphWorm. EchoCreep abuses Discord APIs for C&C communications, allowing attackers to upload files, issue commands, and receive runtime reports via crafted HTTP requests routed via Discord channels. During analysis, researchers decrypted more than 400 Discord messages spread across four separate victim-specific channels, ultimately discovering attacker-controlled GitHub repository hosting malicious tooling and staged payloads. Researchers found a configuration file for the legitimate SoftEther VPN application containing an IP address previously linked to Webworm infrastructure.
GraphWorm, internally referred to as OverOneDrive, is written in Go and leverages Microsoft Graph API communications exclusively through OneDrive. The malware establishes persistence at user logon and uses Microsoft cloud services to exchange commands and exfiltrate victim data, blending malicious traffic with legitimate enterprise activity.
The group has also developed several custom proxy and tunneling tools intended to create a distributed covert relay infrastructure. WormFrp extends the open-source fast reverse proxy (frp) utility with the ability to retrieve configuration data from compromised Amazon S3 buckets.
ChainWorm appears to be designed to expand Webworm’s hidden proxy network by exposing listening ports on infected systems, while SmuxProxy (based on the iox intranet proxy utility) introduces encrypted communications with hardcoded infrastructure parameters for simplified deployment.
Another tool called WormSocket, uses socket.io servers to establish scalable web request proxies capable of selectively routing traffic through designated network nodes.
“These custom proxy tools are not only capable of encrypting communications, but also support chaining across multiple hosts both internally and externally to a network. We believe that the operators use these tools in conjunction with SoftEther VPN to better cover their tracks and increase the stealth of their activities,” ESET says. “All Webworm proxies and VPN services are cloud servers that belong to network infrastructure controlled by Vultr and IT7 Networks. Based on the number of proxy tools and their complexities, Webworm may be creating a much larger hidden network by tricking victims into running its proxies.”
Initially Webworm focused on targets across Asia, but in its recent campaigns the group has been observed attacking government entities in Belgium, Italy, Serbia, and Poland, as well as a university in South Africa.