Webworm Threat: New Discord & Graph API Backdoors Exposed

Robert Moore · 2026-05-20

Cybersecurity researchers have flagged fresh activity from a China-aligned threat actor known as Webworm in 2025. This group is deploying custom backdoors that use Discord and Microsoft Graph API for command-and-control (C2 or C&C) communications. It's a reminder that even everyday tools can be weaponized by sophisticated attackers. Webworm, first publicly documented by Broadcom-owned Symantec in September 2022, is assessed to be active since at least 2022. Their primary targets have been government agencies, and this latest campaign shows they're evolving their tactics. ### What Are EchoCreep and GraphWorm? These are the two custom backdoors Webworm is using now. EchoCreep leverages Discord's infrastructure to send and receive commands, making it harder to detect because Discord traffic often blends in with normal user activity. GraphWorm, on the other hand, abuses Microsoft Graph API—a legitimate Microsoft service used for accessing Office 365 data. By hiding within trusted platforms, these backdoors can bypass many traditional security filters. ### Why This Matters for Security Professionals If you're working in cybersecurity or managing digital privacy, this development is a big deal. Here's why: - **Trusted platforms as attack vectors**: Attackers are increasingly using services like Discord and Microsoft Graph API because they're rarely blocked by firewalls. It's a clever way to fly under the radar. - **Targeted attacks on government agencies**: Webworm isn't a random threat. They're focused on high-value targets, which means the stakes are higher for anyone in sensitive sectors. - **Evolving tactics**: This group has been active for years, and their methods are getting more sophisticated. Staying ahead means understanding how these tools work. ### How Antidetect Browsers Fit In You might be wondering, "What does this have to do with antidetect browsers?" Well, a lot. Antidetect browsers are designed to protect your digital fingerprint by masking browser attributes like user agents, screen resolution, and time zone. But when threat actors use legitimate APIs and chat apps for C2, they're bypassing the very systems antidetect tools are meant to secure. For professionals using antidetect browsers, this underscores the need for layered security. No single tool—whether it's a browser, a VPN, or a firewall—can protect you from everything. The best antidetect browser setups combine multiple defenses, including monitoring for unusual API calls or Discord traffic. ### Practical Steps You Can Take Here are some actionable tips to stay safe: - **Monitor for unusual Discord usage**: Keep an eye on any unexpected Discord bots or channels in your environment. If you see traffic you don't recognize, investigate it. - **Audit Microsoft Graph API permissions**: Review which apps and users have access to Graph API. Revoke any that aren't necessary. - **Use antidetect browsers wisely**: Choose a reputable antidetect browser that offers robust fingerprint randomization. But don't rely on it alone—combine it with endpoint detection and response tools. - **Stay informed**: Follow cybersecurity news and updates from trusted sources. Threat actors like Webworm are constantly adapting, and so should you. ### The Bigger Picture This campaign from Webworm is a stark reminder that cybersecurity is an arms race. As defenders get better, attackers find new ways in. By understanding how they're using tools like Discord and Microsoft Graph API, you can better protect your systems and data. Remember, the goal isn't to be paranoid—it's to be prepared. With the right knowledge and tools, you can stay one step ahead.