{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-graph-api/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Webworm"],"_cs_cpes":["cpe:2.3:a:squirrelmail:squirrelmail:1.4.22:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2017-7692"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Graph API","OneDrive","SoftEther VPN","mRemoteNG","Amazon S3"],"_cs_severities":["high"],"_cs_tags":["webworm","apt","discord","microsoft graph api","proxy tool"],"_cs_type":"threat","_cs_vendors":["Microsoft","GitHub","Vultr","IT7 Networks","Amazon"],"content_html":"\u003cp\u003eESET researchers have detailed the 2025 activities of Webworm, a China-aligned APT group known since 2022. The group, originally targeting Asian organizations, has shifted its focus to European governmental organizations and a South African university. Webworm has moved away from traditional backdoors such as McRat and Trochilus and now utilizes legitimate or semi-legitimate tools, as well as custom proxy solutions. Key additions to their toolset include EchoCreep, a Discord-based backdoor, and GraphWorm, which leverages Microsoft Graph API for command and control. Webworm also employs GitHub repositories to stage malware for direct download onto compromised systems, enhancing stealth and evading detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a system through an undisclosed method, possibly exploiting CVE-2017-7692.\u003c/li\u003e\n\u003cli\u003eEstablishment of persistence using GraphWorm via registry modifications.\u003c/li\u003e\n\u003cli\u003eDeployment of EchoCreep, utilizing Discord channels for C\u0026amp;C communication via crafted HTTP requests.\u003c/li\u003e\n\u003cli\u003eUtilization of GraphWorm with Microsoft Graph API using OneDrive endpoints to retrieve jobs and upload victim information.\u003c/li\u003e\n\u003cli\u003eConfiguration retrieval for WormFrp from a compromised Amazon S3 bucket at \u003ccode\u003ewamanharipethe.s3.ap-south-1.amazonaws[.]com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCredential dumping using SharpSecretsdump, uploaded to the compromised S3 bucket.\u003c/li\u003e\n\u003cli\u003eLateral movement and internal reconnaissance using tools staged on GitHub and custom proxy tools like WormFrp, ChainWorm, and SmuxProxy.\u003c/li\u003e\n\u003cli\u003eData exfiltration of sensitive information, such as VM snapshots and network diagrams, through the compromised Amazon S3 bucket.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWebworm\u0026rsquo;s activities in 2025 targeted governmental organizations in Belgium, Italy, Serbia, and Poland, as well as a university in South Africa. Compromised Amazon S3 buckets were used for data exfiltration, potentially leading to exposure of sensitive government data and infrastructure details. Decryption of over 400 Discord messages revealed reconnaissance commands used against more than 50 unique targets, highlighting the scope of the group\u0026rsquo;s operations. Successful exploitation of virtual machine management environments could lead to widespread infrastructure compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to known Webworm infrastructure, including Vultr and IT7 Networks ASNs (see IOCs) and Discord traffic for abnormal C2 activity.\u003c/li\u003e\n\u003cli\u003eImplement detections for processes utilizing the Microsoft Graph API for unusual activities, specifically uploads to OneDrive (see GraphWorm description).\u003c/li\u003e\n\u003cli\u003eMonitor for scheduled tasks resembling \u0026ldquo;MicrosoftSSHUpdate\u0026rdquo; used by EchoCreep for persistence (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eBlock access to the compromised S3 bucket \u003ccode\u003ewamanharipethe.s3.ap-south-1.amazonaws[.]com\u003c/code\u003e at the network perimeter (see IOCs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Webworm Tool Download From GitHub\u0026rdquo; to detect download of known tools (see rules).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003eSharpSecretsdump\u003c/code\u003e from unusual locations (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect proxy tool execution, focusing on named proxy tools (see rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T06:46:03Z","date_published":"2026-05-21T06:46:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-webworm-new-techniques/","summary":"The Webworm APT group is using updated tactics, techniques, and procedures, including new backdoors using Discord and Microsoft Graph API for command and control, custom proxy tools, and GitHub for malware staging, shifting focus to European governmental organizations.","title":"Webworm APT Updates TTPs with Discord and Microsoft Graph C2","url":"https://feed.craftedsignal.io/briefs/2026-05-webworm-new-techniques/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Graph API","version":"https://jsonfeed.org/version/1.1"}