How Webworm’s EchoCreep and GraphWorm Backdoors Abuse Cloud Platforms to Spy on European Governments

GraphWorm

• A backdoor that communicates via the Microsoft Graph API.
• The API enables attackers to interact with Microsoft 365 services programmatically, allowing malicious activity to blend into legitimate enterprise traffic.

During their investigation, ESET researchers decrypted more than 400 Discord messages linked to the operation, giving insight into how the attackers controlled infected machines and managed stolen data.

Abuse of legitimate cloud services

A key tactic in the Webworm campaign is the use of trusted cloud platforms for malicious operations. According to ESET, the group abused several legitimate services to hide its activity, including:

• Discord – Used by EchoCreep for command‑and‑control messaging and file transfers.
• Microsoft Graph API – Used by GraphWorm to communicate with attacker infrastructure through Microsoft 365 environments.
• Microsoft OneDrive – Leveraged to store or move stolen data and operational files.
• GitHub – Used as part of the infrastructure supporting malware operations and communication.

Using legitimate services allows attackers to disguise malicious traffic as normal cloud usage. Organizations are often reluctant to block services like Microsoft 365 or Discord entirely, which gives attackers a persistent covert communication channel.

European government targets

ESET’s investigation shows Webworm shifting its focus toward government institutions in Europe.

Observed targets include organizations in:

• Belgium
• Italy
• Poland
• Serbia
• Spain

The researchers also identified activity involving a university in South Africa, indicating the campaign extends beyond Europe.

While the affected sector is confirmed, public reporting does not disclose the specific ministries or agencies targeted.

A shift away from older malware

Webworm has been active since at least 2022 and historically relied on traditional remote access trojans (RATs) such as Trochilus and 9002 RAT (McRat).

However, ESET reports that the group has increasingly moved away from full‑featured RAT malware toward proxy and tunneling tools, along with lightweight backdoors.

This evolution provides several advantages:

• Reduced malware footprint on compromised machines
• Traffic that resembles legitimate network activity
• Fewer obvious indicators for antivirus and endpoint security tools

By combining these stealthier techniques with cloud‑based command channels, attackers can maintain persistence while minimizing the chances of detection.

Why these tactics are harder to detect

The Webworm campaign highlights a broader trend in advanced cyber‑espionage: hiding malicious operations inside legitimate services.

When attackers rely on platforms already trusted by organizations—such as Discord, OneDrive, or Microsoft APIs—security tools must distinguish between normal activity and malicious use of the same infrastructure. Blocking these services outright is often impractical, which gives threat actors a strategic advantage.

ESET’s findings show that Webworm is adapting its toolkit accordingly, shifting toward cloud‑native command‑and‑control channels and stealthier proxy‑based tooling that make espionage campaigns harder to uncover.

As attackers increasingly blend into normal cloud traffic, defenders must rely more on behavioral detection, identity monitoring, and anomaly analysis rather than simple domain or IP blocking.