Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

thehackernews.com·May 20, 2026

Cybersecurity researchers have identified new activities from the China-aligned threat actor Webworm in 2025, utilizing custom backdoors for command-and-control communications via Discord and Microsoft Graph API, and have been active since at least 2022, primarily targeting government agencies.

The most valuable insight for you is the emergence of Webworm's new tactics involving the use of Discord and Microsoft Graph API for C2 communications. This highlights the need to monitor and secure these platforms within your organization's network to mitigate potential threats from sophisticated state-aligned actors, ensuring your threat intelligence and incident response teams are prepared to address such novel attack vectors.

Want more content like this?

twixb tracks your favorite blogs and social media, filters by keywords, and delivers personalized key learnings — straight to your inbox.

Create Your Own →Explore Newsfeeds

More from Cybersecurity News

Recent stories curated alongside this one.

Browse all Cybersecurity News →

Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

Want more content like this?

More from Cybersecurity News

Srsly Risky Biz: Politicians ditch Signal for homegrown apps

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Ukraine identifies infostealer operator tied to 28,000 stolen accounts

Hackers bypass SonicWall VPN MFA due to incomplete patching

Cyber Pros Can't Decide If AI Is a Good or a Bad Thing