Webworm: New burrowing techniques

What Happened

A cyber espionage group known as Webworm has launched new attacks targeting government organizations in Europe and a university in South Africa. The attackers are using new, custom-built malicious software that hides its communications within popular legitimate services like Discord and Microsoft OneDrive. This allows the hackers to steal data and control infected computers while blending in with normal network traffic. Organizations should monitor their network traffic for unusual connections to these services and ensure their web servers are patched against known vulnerabilities.

Key Takeaways

• The Webworm APT group has shifted its targeting from Asia to Europe and South Africa, focusing on governmental organizations.
• Webworm deployed two new custom backdoors in 2025: EchoCreep (using Discord for C&C) and GraphWorm (using Microsoft Graph API/OneDrive for C&C).
• The threat actors utilize a complex network of custom proxy tools (WormFrp, ChainWorm, SmuxProxy, WormSocket) to obfuscate their infrastructure.
• Webworm leverages compromised Amazon S3 buckets and GitHub repositories to stage payloads and exfiltrate data.
• Initial access attempts involve open-source vulnerability scanners (nuclei) and directory brute-forcing tools (dirsearch).

Affected Systems

• Windows
• Web Servers
• SquirrelMail

Vulnerabilities (CVEs)

• CVE-2017-7692

Attack Chain

Webworm gains initial access by scanning web servers with tools like nuclei and dirsearch, exploiting vulnerabilities such as CVE-2017-7692. Once inside, they deploy custom backdoors like EchoCreep or GraphWorm, which establish persistence via scheduled tasks or registry run keys. These backdoors communicate with C2 infrastructure hosted on Discord or Microsoft Graph API (OneDrive). The attackers also deploy a complex chain of custom proxy tools (WormFrp, SmuxProxy) to route traffic and exfiltrate data to compromised Amazon S3 buckets.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but mentions that a comprehensive list of IOCs is available in the ESET GitHub repository.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the creation of scheduled tasks (MicrosoftSSHUpdate), modifications to Registry Run keys, and unusual child processes spawned by the backdoors. Network Visibility: Medium — While C2 traffic is encrypted and blends with legitimate Discord and Microsoft Graph API traffic, connections to known VPS hosting providers (Vultr, IT7 Networks) on non-standard proxy ports can be identified. Detection Difficulty: Hard — The use of legitimate cloud services (Discord, OneDrive) for C2 makes network-based detection very difficult without SSL inspection and tenant-level filtering.

Required Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 3 (Network Connection)
• Sysmon Event ID 11 (File Create)
• Sysmon Event ID 13 (Registry Event)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unusual processes communicating with Discord API endpoints or Microsoft Graph API, especially if they are not standard web browsers or official clients.	Network flow logs, EDR network events	Command and Control	High
If you have visibility into scheduled tasks, monitor for the creation of a task named 'MicrosoftSSHUpdate'.	Windows Event Log (Security 4698), EDR task creation events	Persistence	Low
Consider hunting for the creation of files named 'beacon_shell_output.txt' or 'alive.txt' in temporary directories.	EDR file creation events, Sysmon Event ID 11	Collection	Low
Evaluate whether internal hosts are making outbound connections to known VPS hosting providers (Vultr, IT7 Networks) on non-standard ports, which may indicate proxy tool usage.	Firewall logs, NetFlow	Command and Control	Medium

Control Gaps

• Lack of SSL inspection for cloud services
• Permissive outbound access to Discord and personal OneDrive tenants

Key Behavioral Indicators

• Processes making API calls to /createUploadSession on OneDrive
• Creation of MicrosoftSSHUpdate scheduled task
• Presence of WormFrp, SmuxProxy, or WormSocket artifacts

False Positive Assessment

• Low for specific hashes and IPs, but High for network hunting based solely on Discord or OneDrive traffic, as these are widely used legitimate services.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the identified IP addresses and S3 bucket URLs at the perimeter.
• Search endpoint telemetry for the provided SHA-1 hashes and file names.

Infrastructure Hardening

• Consider restricting outbound access to Discord and personal OneDrive tenants if not required for business operations.
• Evaluate whether strict network segmentation can be implemented to limit the blast radius of compromised web servers.
• Ensure all public-facing web applications (like SquirrelMail) are fully patched against known vulnerabilities.

User Protection

• If supported by your tooling, deploy EDR solutions to monitor for suspicious registry modifications and scheduled task creations.
• Consider enforcing MFA for all remote access and cloud service accounts.

Security Awareness

• Consider educating security teams on the abuse of legitimate cloud services (Discord, Microsoft Graph) for command and control.

MITRE ATT&CK Mapping

• T1595.002 - Active Scanning: Vulnerability Scanning
• T1595.003 - Active Scanning: Wordlist Scanning
• T1588.006 - Obtain Capabilities: Vulnerabilities
• T1583.004 - Acquire Infrastructure: Server
• T1583.003 - Acquire Infrastructure: Virtual Private Server
• T1584.006 - Compromise Infrastructure: Web Services
• T1608.002 - Stage Capabilities: Upload Tool
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1070.004 - Indicator Removal: File Deletion
• T1112 - Modify Registry
• T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
• T1550.001 - Use Alternate Authentication Material: Application Access Token
• T1078.004 - Valid Accounts: Cloud Accounts
• T1070.006 - Indicator Removal: Timestomp
• T1021.007 - Remote Services: Cloud Services
• T1005 - Data from Local System
• T1074.001 - Data Staged: Local Data Staging
• T1074.002 - Data Staged: Remote Data Staging
• T1071.001 - Application Layer Protocol: Web Protocols
• T1132.001 - Data Encoding: Standard Encoding
• T1573.002 - Encrypted Channel: Asymmetric Cryptography
• T1090.003 - Proxy: Multi-hop Proxy
• T1090.002 - Proxy: External Proxy
• T1090.001 - Proxy: Internal Proxy
• T1102.002 - Web Service: Bidirectional Communication
• T1041 - Exfiltration Over C2 Channel
• T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage

Additional IOCs

• Ips:
  • 45[.]77[.]13[.]67 - WormSocket web socket server.
  • 104[.]243[.]23[.]43 - SmuxProxy server.
  • 108[.]61[.]200[.]151 - WormFrp proxy server.
  • 144[.]168[.]60[.]233 - Reverse shell IP discovered on SmuxProxy server.
• File Hashes:
  • 1DF40A4A31B30B62EC33DC6FECC2C4408302ADC7 (SHA1) - WormFrp proxy tool (ssh.exe).
  • 7DCFE9EE25841DFD58D3D6871BF867FE32141DFB (SHA1) - WormHole proxy tool (svc.exe).
  • 948159A7FC2E688386864BEA59FD40DFFC4B24D6 (SHA1) - WormSocket proxy tool (MessengerClient.exe).
  • A3C077BDF8898E612CCD65BC82E7960834ADB2A9 (SHA1) - SmuxProxy tool, a custom iox with hardcoded IP (dsocks.exe).
• File Paths:
  • beacon_shell_output.txt - File used by GraphWorm to temporarily store shell command outputs before uploading.
  • config.dat - Configuration file written to disk by the GraphWorm backdoor.
  • alive.txt - Heartbeat file updated by the GraphWorm backdoor.
  • SharpSecretsdump - Credential dumping tool uploaded to the compromised S3 bucket.
  • _1.sh - LegalHackers exploit script for CVE-2017-7692 found in the open directory.
  • C:\windows\temp\123.tar.gz - Archive downloaded via EchoCreep Discord command.
  • C:\tools\se\win64\test.vbs - VBScript executed via EchoCreep Discord command.
• Command Lines:
  • Purpose: Vulnerability scanning against target web servers | Tools: nuclei | Stage: Reconnaissance | ./nuclei --target https://
  • Purpose: Web directory brute-forcing and scanning | Tools: dirsearch | Stage: Reconnaissance | dirsearch -u https://