GraphWorm
GraphWorm is a backdoor associated with the China-aligned threat actor Webworm, also tracked as Space Pirates and UAT-8302. It was observed in Webworm’s 2025 campaigns targeting government organizations in Europe, including Belgium, Italy, Poland, Serbia, and Spain, as well as activity involving a university in South Africa. The malware uses Microsoft Graph API and Microsoft OneDrive for command-and-control, retrieving tasks from OneDrive and uploading victim information and command results back to actor-controlled OneDrive storage. Reported capabilities include spawning a new cmd.exe session, executing newly created processes, uploading and downloading files via OneDrive, stopping its own execution on operator signal, and adjusting sleep intervals. GraphWorm persists by executing when the victim logs in and by modifying Windows registry Run keys. It generates a unique victim identifier from host attributes including network adapter IP, processor ID, and a physical device serial number obtained through WMI, then creates a separate OneDrive folder for each victim with subfolders such as /files, /result, and /job for staging and tasking. Data is reported as encrypted with AES-256-CBC and base64-encoded, and large files are uploaded using the Microsoft Graph /createUploadSession endpoint. File-level artifacts cited in the reporting include the sample C2OverOneDrive_v0316.exe, detected by ESET as Win32/Agent.VWD, with SHA-1 77F1970D620216C5FFF4E14A6CCC13FCCC267217. Reverse-engineering details mentioned in the content include Visual Studio 2019 source paths such as AutoStart.cpp, BaseInfo.cpp, and Beacon.cpp, a build tag v0316, OneDrive call sites, and an OAuth refresh_token literal. The infection vector for GraphWorm is not confirmed in the provided content; reporting states Webworm’s initial access and delivery mechanism for EchoCreep and GraphWorm are currently unknown.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The GraphWorm binary carried VS2019 source paths ( AutoStart.cpp , BaseInfo.cpp , Beacon.cpp ), a build tag v0316 (March 16), OneDrive call sites, and an OAuth refresh_token literal. Confirms the published Microsoft Graph + OneDrive C&C role at the file level.
According to ESET, the group’s latest campaigns introduced two new backdoors: EchoCreep and GraphWorm. GraphWorm relies on Microsoft Graph API and OneDrive endpoints to retrieve tasks and upload victim information.
According to ESET, the group’s latest campaigns introduced two new backdoors: EchoCreep and GraphWorm. GraphWorm relies on Microsoft Graph API and OneDrive endpoints to retrieve tasks and upload victim information.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
1 techniqueEchoCreep and GraphWorm both use the Windows command line to execute operator commands.
Persistence
3 techniquesGraphWorm uses a valid cloud account to access Microsoft Graph APIs.
Privilege Escalation
2 techniquesStealth
4 techniquesGraphWorm and EchoCreep use encryption and encoding techniques to obfuscate data.
the use of a GitHub repository impersonating a WordPress fork ("github[.]com/anjsdgasdf/WordPress") as a staging ground for malware and tools like SoftEther VPN in an effort to blend in and fly under the radar.
GraphWorm cleans up a created beacon file after successful upload.
Defense Impairment
1 techniqueDiscovery
1 techniqueUpon first execution, the backdoor generates a unique victim identifier by combining network adapter details, processor information, and a device serial number.
Lateral Movement
1 techniqueGraphWorm and EchoCreep use API keys to communicate with the C&C infrastructure.
Collection
3 techniquesBoth EchoCreep and GraphWorm can collect data from the local system.
GraphWorm stages a beacon file locally before uploading to the C&C.
GraphWorm stages files and tasks within OneDrive via the Microsoft Graph API.
Command and Control
8 techniquesEchoCreep backdoor using Discord for C&C. ... GraphWorm backdoor using the Microsoft Graph API for C&C.
EchoCreep backdoor using Discord for C&C. ... GraphWorm backdoor using the Microsoft Graph API for C&C.
WormFrp, ChainWorm, WormSocket, SmuxProxy, and GraphWorm have the capability to connect to external proxies.
EchoCreep and GraphWorm use Discord and the Microsoft Graph API for C&C infrastructure.
This confirms the actor delivers tools through operator-controlled open directories, not mass-mail or drive-by chains.
EchoCreep, GraphWorm, and WormSocket make use of base64 encoding.
Confirms the published Microsoft Graph + OneDrive C&C role at the file level.
EchoCreep, GraphWorm, WormSocket, and WormFrp use AES in some capacity.
Exfiltration
2 techniquesEchoCreep and GraphWorm exfiltrate data to their respective C&C infrastructures.
GraphWorm exfiltrates data to OneDrive via the Microsoft Graph API.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A more advanced custom backdoor used by Webworm that leverages Microsoft Graph API for C2, can spawn cmd.exe, execute processes, upload/download files via Microsoft OneDrive, and stop its own execution on operator signal.
A Go-based backdoor that uses Microsoft Graph API and OneDrive as its command-and-control channel, creating victim-specific folders to receive tasks, upload/download files, execute shell commands via cmd.exe, and return command output while blending into legitimate cloud traffic.
A backdoor that persists at logon and uses Microsoft Graph API, specifically OneDrive, for command retrieval and data exfiltration. It supports shell execution, process execution, file transfer, configuration updates, and encrypted communications.
A backdoor that uses Microsoft Graph API and OneDrive endpoints for task retrieval and victim data upload.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.