
HIGH WEBWORM EUROPEAN ESPIONAGE CAMPAIGN EchoCreep & GraphWorm Backdoors via Discord and Microsoft Graph API
Indicators of Compromise
APT Groups4
Summary of Actor:Earth Lusca or Aquatic Panda is a notorious cyber espionage group known for targeting governments and high-profile organizations. The group leverages sophisticated tactics to exfiltrate sensitive data and has been active in various regions worldwide. Their campaigns often involve advanced malware and strategic intrusions to achieve their goals. General Features:Earth Lusca operates with a high level of sophistication, utilizing both custom-developed and publicly available tools. They are known for their stealth and persistence in operations, and often employ multi-phase attacks, comprising initial compromise, lateral movement, and data exfiltration. Related Other Groups: APT41,Winnti, i-Soon Indicators of Attack (IoA): Abnormal network traffic patterns Unusual user account activity Unexpected system behavior indicating potential exfiltration Recent Activities and Trends: Latest Campaigns : Earth Lusca was recently observed targeting governmental and financial institutions in East Asia, using spear-phishing emails to deliver customized malware payloads. Emerging Trends : Earth Lusca has shown increased activity in exploiting zero-day vulnerabilities, indicating a potentially higher level of sophistication in their operational capabilities.
Summary of Actor:Webworm is a sophisticated cyber espionage group primarily targeting organizations in East Asia. They are known for their complex techniques and persistent effort to infiltrate high-value targets. The group has a history of leveraging advanced malware and exploiting zero-day vulnerabilities. General Features:Webworm employs a range of tactics including spear phishing, zero-day exploits, and custom malware. They often conduct extensive reconnaissance and use highly targeted attacks. The group's activities are well-funded, indicating possible state-based sponsorship. Related Other Groups: HiddenLynx,APT41,Winnti Indicators of Attack (IoA): Spear phishing emails with malicious attachments Custom malware payloads Network traffic anomalies involving C2 servers Recent Activities and Trends: Latest Campaigns : Webworm has recently been linked to a series of attacks targeting governmental institutions in East Asia. These campaigns involved advanced spear phishing emails and newly developed malware variants. Emerging Trends : Recent observations indicate Webworm is increasingly focusing on exploiting supply chain vulnerabilities and using Living off the Land (LotL) techniques to avoid detection.
<p dir="auto" style="white-space-collapse: preserve;">Vicious Panda is the name assigned by CrowdStrike to a Chinese state-sponsored advanced persistent threat (APT) group, also tracked as TA428 by Proofpoint, Temp.Hex by FireEye/Mandiant, and BRONZE DUDLEY by Sophos. The group is known for conducting cyberespionage operations, primarily motivated by intelligence gathering to support Chinese national interests. It targets government entities, diplomatic organizations, and related sectors such as IT and public administration, with a focus on East Asia (e.g., Mongolia, Russia), Europe, and Central Asia (e.g., Afghanistan, Belarus, Ukraine). The group's activities align with broader Chinese APT tradecraft, including the use of custom tools and exploitation of geopolitical events for lures.</p><p dir="auto" style=""><span style="white-space-collapse: preserve;"><b>Key Characteristics:</b></span></p><p dir="auto" style="white-space-collapse: preserve;">Vicious Panda (TA428) employs sophisticated TTPs focused on stealthy initial access, persistence, and data exfiltration, often leveraging current events (e.g., COVID-19, geopolitical tensions) for social engineering. The group frequently uses weaponized RTF documents created with the RoyalRoad tool to exploit Microsoft Office vulnerabilities, followed by multi-stage DLL sideloading and custom backdoors for long-term access. Victimology centers on high-value targets in government and diplomatic sectors, particularly in regions of strategic interest to China, such as Russia, Mongolia, and Europe, to steal sensitive political, military, and economic intelligence. Notable tools include custom malware like CotSam (a modular RAT for credential theft and reconnaissance), PhantomNet (a remote access tool), NCCTrojan (a backdoor for command execution), and BYEBY (a RAT variant). The group also collaborates with other Chinese actors (e.g., in joint campaigns like Crimson Palace) and adapts tools like PlugX for specific operations.</p><p dir="auto" style="white-space-collapse: preserve;">Relevant MITRE ATT&CK Technique IDs: T1203 (Exploitation for Client Execution, via RTF exploits); T1574.002 (Hijack Execution Flow: DLL Side-Loading); T1059 (Command and Scripting Interpreter, for executing payloads); T1137 (Office Application Startup, for persistence in Word); T1071 (Application Layer Protocol, HTTP/HTTPS C2); T1027 (Obfuscated Files or Information, encrypted payloads); T1005 (Data from Local System, exfiltration); T1041 (Exfiltration Over C2 Channel).</p><p dir="auto" style="white-space-collapse: preserve;"><b>Indicators of Attack (IoA):</b></p><li node="[object Object]"><strong node="[object Object]">Command Execution Patterns:</strong> Use of rundll32.exe to load malicious DLLs (e.g., "rundll32.exe <DLL>, <export>"); dynamic API loading from comma-separated library lists; execution of commands for file operations, screenshots, and registry modifications via modular RATs; creation of mutexes like "Afx:DV3ControlHost".</li><p dir="auto" style="white-space-collapse: preserve;"> </p><li node="[object Object]"><strong node="[object Object]">Specific File Names:</strong> intel.wll (dropped in Word startup folder); http_dll.dll, ppdown.dll, Rundll32Templete.dll, minisdllpub.dll, minisdllpublog.dll (loaders); wincore.dll, gg.dll (dropped payloads); CotSam.dll (custom RAT); access.txt (C2 config file); .rar encrypted archives for payloads.</li><p dir="auto" style="white-space-collapse: preserve;"> </p><li node="[object Object]"><strong node="[object Object]">Registry Keys:</strong> No primary registry-based persistence, but commands support setting registry values (e.g., Command ID 0x34, Sub 0x15); modifications to active computer name or console tracing settings to hide activity.</li><p dir="auto" style="white-space-collapse: preserve;"> </p><li node="[object Object]"><strong node="[object Object]">Memory Injection Techniques:</strong> DLL sideloading and in-memory loading of payloads; XOR encryption/decryption (e.g., key 0x51) for stages; dynamic resolution of APIs to evade detection.</li><p dir="auto" style="white-space-collapse: preserve;"> </p><li node="[object Object]"><strong node="[object Object]">Other Behaviors:</strong> Weaponized RTF files via RoyalRoad (v7.x); HTTP/HTTPS C2 with limited uptime (few hours daily); temporary directory listings on servers; mutexes and encrypted communications to C2 domains like adyboh[.]com, kkooppt[.]com.</li><p dir="auto" style="white-space-collapse: preserve;"><br></p>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
|---|---|---|---|---|
Vulnerability Scanning | Reconnaissance | Hunt for nuclei / dirsearch user-agents and high-volume 404s on common paths (/admin, /.git, /backup) from single source IPs. | Web server logs, WAF, NetFlow | |
Compromise Infrastructure: Web Services | Resource Development | Audit S3 buckets for unexpected public-read PUT/GET from non-corporate IPs; alert on config-file downloads from unfamiliar regions (e.g., ap-south-1). | AWS CloudTrail, S3 access logs, GuardDuty | |
Stage Capabilities: Upload Tool | Resource Development | Threat-hunt for forked WordPress repositories under anonymous GitHub accounts (e.g., anjsdgasdf-style) hosting binary files in wp-admin/. | GitHub audit logs, EDR file-write telemetry | |
Windows Command Shell | Execution | Alert on cmd.exe spawned by Go binaries (e.g., SearchApp.exe, C2OverOneDrive_v0316.exe pattern) or by scheduled tasks not in baseline. | Windows Event 4688, Sysmon EID 1, EDR | |
Scheduled Task | Persistence | Inventory scheduled tasks daily; alert on task names containing 'Update' or 'SSH' patterns not in baseline (e.g., MicrosoftSSHUpdate). | Windows Event 4698/4702, schtasks audit | |
Registry Run Keys | Persistence | Alert on additions to HKLM\..\Run, HKCU\..\Run pointing to user-writable directories or to binaries with no/unknown signature. | Sysmon EID 12/13/14, EDR registry telemetry | |
Cloud Accounts | Defense Evasion | Alert on token issuance to Files.ReadWrite.All / Sites.ReadWrite.All from new device IDs; correlate with /createUploadSession activity. | Azure AD Sign-in, MS Graph API audit | |
Indicator Removal: Timestomp | Defense Evasion | Use FIM with hash-based tracking resistant to MAC timestamp manipulation; alert on files whose MAC times are older than the file system's earliest record. | FIM, auditd, Sysmon EID 2 | |
Web Service | Command and Control | Detect HTTPS POST to discord.com/api/channels/*/messages from non-developer workstations and from server segments. | DNS logs, egress proxy, NetFlow, JA3 | |
Web Protocols | Command and Control | Hunt for graph.microsoft.com requests from non-Office processes; Go runtime user-agents are a red flag in this context. | TLS metadata, EDR HTTP telemetry, MS Graph audit | |
Multi-hop Proxy | Command and Control | Alert on SoftEther signatures, frp / iox handshake patterns; track long-lived encrypted sessions between internal hosts and Vultr / IT7 Networks ASNs. | NetFlow/IPFIX, Zeek conn.log, EDR network telemetry | |
Exfiltration Over C2 Channel | Exfiltration | Alert on MS Graph /createUploadSession invocations from non-Office processes uploading > 10 MB to OneDrive. | MS Graph audit logs, egress proxy | |
Cloud Services | Lateral Movement | Detect token reuse on Microsoft Graph from multiple IPs in a short window; alert on Graph calls from unfamiliar cloud ASN. | Azure AD Sign-in, Conditional Access logs |