MalwareUsed by 3 actors

EchoCreep

EchoCreep is a backdoor associated with the China-aligned threat actor Webworm, also tracked as Space Pirates and UAT-8302. Public reporting states Webworm introduced EchoCreep in 2025 as part of campaigns targeting government organizations in Belgium, Italy, Poland, Serbia, and Spain, as well as activity involving a university in South Africa. EchoCreep uses Discord for command-and-control communication and is described as allowing operators to upload files, send runtime reports, receive commands, and execute commands via cmd.exe. ESET reported decrypting 433 Discord messages tied to EchoCreep across four victim-specific Discord channels, with recovered activity indicating use dating back to March 21, 2024 and the first actual compromise in the recovered logs on April 9, 2025. The malware is described as Go-based, using crafted HTTP requests to Discord APIs; commands are base64-decoded and decrypted with AES-CBC-128. A known sample is SearchApp.exe, detected by ESET as WinGo/Agent.ZK, with SHA-1 CB4E50433336707381429707F59C3CBE8D497D98. Reported detection and hunting artifacts include the persistence task name MicrosoftSSHUpdate, the handshake string "Up Success," and Discord-related JSON field literals referenced in YARA material. EchoCreep was part of a broader Webworm toolset that also included GraphWorm and multiple proxy tools, and reporting notes that Webworm used GitHub repositories to stage malware and support tools, although the specific delivery mechanism for EchoCreep remains unknown.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Webworm

Through 2026 the same idea spread fast: China-aligned Webworm deployed backdoors using Discord and the Microsoft Graph API.

via osint team blogosintteam.blog

Space Pirates

According to ESET, the group’s latest campaigns introduced two new backdoors: EchoCreep and GraphWorm. EchoCreep uses Discord for C&C communication, allowing attackers to upload files, send runtime reports, and receive commands.

via help net securityhelpnetsecurity.com

UAT-8302

via help net securityhelpnetsecurity.com

MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1608.002Upload ToolEvidence1

Webworm staged tools in its GitHub repo for direct download onto compromised systems.

Execution

3 techniques

T1053Scheduled Task/JobEvidence1

1 persistence task name ( MicrosoftSSHUpdate )

T1053.005Scheduled TaskEvidence1

EchoCreep is executed under the custom-created MicrosoftSSHUpdate scheduled task.

T1059.003Windows Command ShellEvidence2

EchoCreep and GraphWorm both use the Windows command line to execute operator commands.

Persistence

2 techniques

T1053Scheduled Task/JobEvidence1

1 persistence task name ( MicrosoftSSHUpdate )

T1053.005Scheduled TaskEvidence1

EchoCreep is executed under the custom-created MicrosoftSSHUpdate scheduled task.

Privilege Escalation

2 techniques

T1053Scheduled Task/JobEvidence1

1 persistence task name ( MicrosoftSSHUpdate )

T1053.005Scheduled TaskEvidence1

EchoCreep is executed under the custom-created MicrosoftSSHUpdate scheduled task.

Stealth

3 techniques

T1027.013Encrypted/Encoded FileEvidence1

GraphWorm and EchoCreep use encryption and encoding techniques to obfuscate data.

T1036MasqueradingEvidence1

the use of a GitHub repository impersonating a WordPress fork ("github[.]com/anjsdgasdf/WordPress") as a staging ground for malware and tools like SoftEther VPN in an effort to blend in and fly under the radar.

T1070.006TimestompEvidence1

EchoCreep contains a modified timestamp attribute.

Lateral Movement

1 technique

T1550.001Application Access TokenEvidence1

GraphWorm and EchoCreep use API keys to communicate with the C&C infrastructure.

Collection

1 technique

T1005Data from Local SystemEvidence1

Both EchoCreep and GraphWorm can collect data from the local system.

Command and Control

7 techniques

T1071Application Layer ProtocolEvidence3

EchoCreep uses Discord for C&C communication, allowing attackers to upload files, send runtime reports, and receive commands. GraphWorm relies on Microsoft Graph API and OneDrive endpoints to retrieve tasks and upload victim information. | By decrypting more than 400 Discord messages used for command-and-control (C&C) communication, ESET gained visibility into the group’s infrastructure and operations.

T1071.001Web ProtocolsEvidence2

EchoCreep backdoor using Discord for C&C. ... GraphWorm backdoor using the Microsoft Graph API for C&C.

T1102Web ServiceEvidence1

EchoCreep (HIGH) -- adds MicrosoftSSHUpdate task name, Up Success handshake string, and Discord-JSON field literals.

T1102.002Bidirectional CommunicationEvidence1

EchoCreep and GraphWorm use Discord and the Microsoft Graph API for C&C infrastructure.

T1105Ingress Tool TransferEvidence3

This confirms the actor delivers tools through operator-controlled open directories, not mass-mail or drive-by chains.

T1132.001Standard EncodingEvidence1

EchoCreep, GraphWorm, and WormSocket make use of base64 encoding.

T1573.002Asymmetric CryptographyEvidence1

EchoCreep, GraphWorm, WormSocket, and WormFrp use AES in some capacity.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

EchoCreep and GraphWorm exfiltrate data to their respective C&C infrastructures.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha1●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

osint team blogNews

Jun 26, 2026

The Spy Group Hiding Secret Commands Inside Ordinary GitHub Repos | by Pop123 | Jun, 2026 | OSINT Team

A backdoor referenced in reporting about Webworm using Discord and Microsoft Graph API for command and control.

the hacker newsNews

May 20, 2026

Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

A custom backdoor used by Webworm that communicates over Discord for C2 and supports file upload/download plus command execution via cmd.exe.

eset welivesecurity blogNews

May 20, 2026

Webworm: New burrowing techniques

A Go-written backdoor that uses Discord for C&C communication, supports file upload/download, shell execution, and sleep commands, and communicates through crafted HTTP requests to Discord APIs.

help net securityNews

May 20, 2026

Webworm APT targets European government organizations with new backdoors - Help Net Security

A backdoor used for command-and-control over Discord, enabling file uploads, runtime reporting, and receipt of attacker commands.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.