Recent findings from cybersecurity researchers have highlighted the continued activity of the China-aligned threat actor known as Webworm, which has been operational since at least 2022. The group has deployed sophisticated backdoors, named EchoCreep and GraphWorm, that utilize popular platforms like Discord and Microsoft Graph API for their command-and-control (C2) communications. This development underscores the evolving tactics of cybercriminals who are leveraging widely used services to bypass traditional security measures.
For businesses, especially those in sectors such as government and technology that may be targeted by state-sponsored actors, the implications are significant. Organizations must reevaluate their cybersecurity strategies to account for these unconventional C2 methods. This includes implementing stricter monitoring of third-party applications and enhancing incident response protocols to detect and mitigate such threats swiftly. As the landscape of cyber threats continues to evolve, understanding the tactics employed by groups like Webworm is crucial for developing robust defenses against potential breaches.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html)*