Webworm: New Burrowing Techniques

The evolution of advanced persistent threats is increasingly defined by their ability to blend into legitimate cloud ecosystems. Webworm’s 2025 campaign exemplifies this shift: rather than relying on traditional command‑and‑control servers, the group now exploits Discord’s API and Microsoft Graph’s OneDrive endpoints, platforms that blend seamlessly into everyday corporate traffic. This approach mirrors a broader industry pattern where threat actors co‑opt SaaS services to bypass perimeter defenses, leveraging the trust and ubiquity of these services to mask malicious communications.

Technically, EchoCreep and GraphWorm demonstrate sophisticated use of encryption and API calls. EchoCreep encodes commands in base64, encrypts them with AES‑CBC‑128, and transmits them through Discord channels, while GraphWorm encrypts data with AES‑256‑CBC before uploading to OneDrive folders uniquely tied to each victim. Complementing these backdoors are custom proxy utilities—WormFrp, ChainWorm, SmuxProxy, and WormSocket—that create layered, encrypted tunnels across cloud servers hosted by Vultr and IT7 Networks. By staging payloads on a public GitHub fork and a misconfigured Amazon S3 bucket, Webworm ensures rapid delivery and persistent access without needing bespoke infrastructure.

For defenders, the key takeaway is the need to extend monitoring beyond traditional network boundaries into cloud‑native activity. Organizations should implement strict API usage baselines, enforce least‑privilege access for SaaS integrations, and employ behavioral analytics to detect anomalous file uploads or command patterns on platforms like Discord and OneDrive. As APT groups continue to weaponize legitimate services, a proactive, zero‑trust stance that scrutinizes both inbound and outbound cloud traffic will be essential to mitigate these emerging threats.