Campaigns
HIGH WEBWORM EUROPEAN ESPIONAGE CAMPAIGN EchoCreep & GraphWorm Backdoors via Discord and Microsoft Graph API

HIGH WEBWORM EUROPEAN ESPIONAGE CAMPAIGN EchoCreep & GraphWorm Backdoors via Discord and Microsoft Graph API

WebwormEchoCreepGraphWormFishMongerSoftEther
Webworm, a China-aligned APT active since 2022, introduced two new backdoors in 2025 — EchoCreep (Discord C&C) and GraphWorm (Microsoft Graph API / OneDrive C&C) — while shifting targeting from Asia to European government organisations. ESET decrypted 400+ Discord messages across four victim channels, with the earliest C&C activity dating to 21 March 2024.

Indicators of Compromise

whpjewellers.s3.amazonaws.com
wamanharipethe.s3.ap-south-1.amazonaws.com

APT Groups4

Earth LuscaCN

Summary of Actor:Earth Lusca or Aquatic Panda is a notorious cyber espionage group known for targeting governments and high-profile organizations. The group leverages sophisticated tactics to exfiltrate sensitive data and has been active in various regions worldwide. Their campaigns often involve advanced malware and strategic intrusions to achieve their goals. General Features:Earth Lusca operates with a high level of sophistication, utilizing both custom-developed and publicly available tools. They are known for their stealth and persistence in operations, and often employ multi-phase attacks, comprising initial compromise, lateral movement, and data exfiltration. Related Other Groups: APT41,Winnti, i-Soon Indicators of Attack (IoA): Abnormal network traffic patterns Unusual user account activity Unexpected system behavior indicating potential exfiltration Recent Activities and Trends: Latest Campaigns : Earth Lusca was recently observed targeting governmental and financial institutions in East Asia, using spear-phishing emails to deliver customized malware payloads. Emerging Trends : Earth Lusca has shown increased activity in exploiting zero-day vulnerabilities, indicating a potentially higher level of sophistication in their operational capabilities.

AQUATIC PANDABRONZE UNIVERSITYBountyGladCHROMIUMCharcoal TyphoonControlXFISHMONGERRed Dev 10Red ScyllaRedHotelTAG-22
WebwormCN

Summary of Actor:Webworm is a sophisticated cyber espionage group primarily targeting organizations in East Asia. They are known for their complex techniques and persistent effort to infiltrate high-value targets. The group has a history of leveraging advanced malware and exploiting zero-day vulnerabilities. General Features:Webworm employs a range of tactics including spear phishing, zero-day exploits, and custom malware. They often conduct extensive reconnaissance and use highly targeted attacks. The group's activities are well-funded, indicating possible state-based sponsorship. Related Other Groups: HiddenLynx,APT41,Winnti Indicators of Attack (IoA): Spear phishing emails with malicious attachments Custom malware payloads Network traffic anomalies involving C2 servers Recent Activities and Trends: Latest Campaigns : Webworm has recently been linked to a series of attacks targeting governmental institutions in East Asia. These campaigns involved advanced spear phishing emails and newly developed malware variants. Emerging Trends : Recent observations indicate Webworm is increasingly focusing on exploiting supply chain vulnerabilities and using Living off the Land (LotL) techniques to avoid detection.

Space PiratesErudite Mogwai
Vicious PandaCN

<p dir="auto" style="white-space-collapse: preserve;">Vicious Panda is the name assigned by CrowdStrike to a Chinese state-sponsored advanced persistent threat (APT) group, also tracked as TA428 by Proofpoint, Temp.Hex by FireEye/Mandiant, and BRONZE DUDLEY by Sophos. The group is known for conducting cyberespionage operations, primarily motivated by intelligence gathering to support Chinese national interests. It targets government entities, diplomatic organizations, and related sectors such as IT and public administration, with a focus on East Asia (e.g., Mongolia, Russia), Europe, and Central Asia (e.g., Afghanistan, Belarus, Ukraine). The group's activities align with broader Chinese APT tradecraft, including the use of custom tools and exploitation of geopolitical events for lures.</p><p dir="auto" style=""><span style="white-space-collapse: preserve;"><b>Key Characteristics:</b></span></p><p dir="auto" style="white-space-collapse: preserve;">Vicious Panda (TA428) employs sophisticated TTPs focused on stealthy initial access, persistence, and data exfiltration, often leveraging current events (e.g., COVID-19, geopolitical tensions) for social engineering. The group frequently uses weaponized RTF documents created with the RoyalRoad tool to exploit Microsoft Office vulnerabilities, followed by multi-stage DLL sideloading and custom backdoors for long-term access. Victimology centers on high-value targets in government and diplomatic sectors, particularly in regions of strategic interest to China, such as Russia, Mongolia, and Europe, to steal sensitive political, military, and economic intelligence. Notable tools include custom malware like CotSam (a modular RAT for credential theft and reconnaissance), PhantomNet (a remote access tool), NCCTrojan (a backdoor for command execution), and BYEBY (a RAT variant). The group also collaborates with other Chinese actors (e.g., in joint campaigns like Crimson Palace) and adapts tools like PlugX for specific operations.</p><p dir="auto" style="white-space-collapse: preserve;">Relevant MITRE ATT&CK Technique IDs: T1203 (Exploitation for Client Execution, via RTF exploits); T1574.002 (Hijack Execution Flow: DLL Side-Loading); T1059 (Command and Scripting Interpreter, for executing payloads); T1137 (Office Application Startup, for persistence in Word); T1071 (Application Layer Protocol, HTTP/HTTPS C2); T1027 (Obfuscated Files or Information, encrypted payloads); T1005 (Data from Local System, exfiltration); T1041 (Exfiltration Over C2 Channel).</p><p dir="auto" style="white-space-collapse: preserve;"><b>Indicators of Attack (IoA):</b></p><li node="[object Object]"><strong node="[object Object]">Command Execution Patterns:</strong> Use of rundll32.exe to load malicious DLLs (e.g., "rundll32.exe <DLL>, <export>"); dynamic API loading from comma-separated library lists; execution of commands for file operations, screenshots, and registry modifications via modular RATs; creation of mutexes like "Afx:DV3ControlHost".</li><p dir="auto" style="white-space-collapse: preserve;"> </p><li node="[object Object]"><strong node="[object Object]">Specific File Names:</strong> intel.wll (dropped in Word startup folder); http_dll.dll, ppdown.dll, Rundll32Templete.dll, minisdllpub.dll, minisdllpublog.dll (loaders); wincore.dll, gg.dll (dropped payloads); CotSam.dll (custom RAT); access.txt (C2 config file); .rar encrypted archives for payloads.</li><p dir="auto" style="white-space-collapse: preserve;"> </p><li node="[object Object]"><strong node="[object Object]">Registry Keys:</strong> No primary registry-based persistence, but commands support setting registry values (e.g., Command ID 0x34, Sub 0x15); modifications to active computer name or console tracing settings to hide activity.</li><p dir="auto" style="white-space-collapse: preserve;"> </p><li node="[object Object]"><strong node="[object Object]">Memory Injection Techniques:</strong> DLL sideloading and in-memory loading of payloads; XOR encryption/decryption (e.g., key 0x51) for stages; dynamic resolution of APIs to evade detection.</li><p dir="auto" style="white-space-collapse: preserve;"> </p><li node="[object Object]"><strong node="[object Object]">Other Behaviors:</strong> Weaponized RTF files via RoyalRoad (v7.x); HTTP/HTTPS C2 with limited uptime (few hours daily); temporary directory listings on servers; mutexes and encrypted communications to C2 domains like adyboh[.]com, kkooppt[.]com.</li><p dir="auto" style="white-space-collapse: preserve;"><br></p>

Vicious PandaPandaBRONZE DUDLEYColourful PandaBronze DudleyTA428ThunderCatsTemp.HexSixLittleMonkeys
UAT-8302CN

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION/ DETECTION REF

Technique ID

Technique Name

Tactic

Detection Method

Log Sources

T1595.002

Vulnerability Scanning

Reconnaissance

Hunt for nuclei / dirsearch user-agents and high-volume 404s on common paths (/admin, /.git, /backup) from single source IPs.

Web server logs, WAF, NetFlow

T1584.006

Compromise Infrastructure: Web Services

Resource Development

Audit S3 buckets for unexpected public-read PUT/GET from non-corporate IPs; alert on config-file downloads from unfamiliar regions (e.g., ap-south-1).

AWS CloudTrail, S3 access logs, GuardDuty

T1608.002

Stage Capabilities: Upload Tool

Resource Development

Threat-hunt for forked WordPress repositories under anonymous GitHub accounts (e.g., anjsdgasdf-style) hosting binary files in wp-admin/.

GitHub audit logs, EDR file-write telemetry

T1059.003

Windows Command Shell

Execution

Alert on cmd.exe spawned by Go binaries (e.g., SearchApp.exe, C2OverOneDrive_v0316.exe pattern) or by scheduled tasks not in baseline.

Windows Event 4688, Sysmon EID 1, EDR

T1053.005

Scheduled Task

Persistence

Inventory scheduled tasks daily; alert on task names containing 'Update' or 'SSH' patterns not in baseline (e.g., MicrosoftSSHUpdate).

Windows Event 4698/4702, schtasks audit

T1547.001

Registry Run Keys

Persistence

Alert on additions to HKLM\..\Run, HKCU\..\Run pointing to user-writable directories or to binaries with no/unknown signature.

Sysmon EID 12/13/14, EDR registry telemetry

T1078.004

Cloud Accounts

Defense Evasion

Alert on token issuance to Files.ReadWrite.All / Sites.ReadWrite.All from new device IDs; correlate with /createUploadSession activity.

Azure AD Sign-in, MS Graph API audit

T1070.006

Indicator Removal: Timestomp

Defense Evasion

Use FIM with hash-based tracking resistant to MAC timestamp manipulation; alert on files whose MAC times are older than the file system's earliest record.

FIM, auditd, Sysmon EID 2

T1102

Web Service

Command and Control

Detect HTTPS POST to discord.com/api/channels/*/messages from non-developer workstations and from server segments.

DNS logs, egress proxy, NetFlow, JA3

T1071.001

Web Protocols

Command and Control

Hunt for graph.microsoft.com requests from non-Office processes; Go runtime user-agents are a red flag in this context.

TLS metadata, EDR HTTP telemetry, MS Graph audit

T1090.003

Multi-hop Proxy

Command and Control

Alert on SoftEther signatures, frp / iox handshake patterns; track long-lived encrypted sessions between internal hosts and Vultr / IT7 Networks ASNs.

NetFlow/IPFIX, Zeek conn.log, EDR network telemetry

T1041

Exfiltration Over C2 Channel

Exfiltration

Alert on MS Graph /createUploadSession invocations from non-Office processes uploading > 10 MB to OneDrive.

MS Graph audit logs, egress proxy

T1021.007

Cloud Services

Lateral Movement

Detect token reuse on Microsoft Graph from multiple IPs in a short window; alert on Graph calls from unfamiliar cloud ASN.

Azure AD Sign-in, Conditional Access logs

Observed Countries9

BE (806)
ES (415)
GE (859)
IT (985)
MN (101)
PL (953)
RS (871)
RU (171)
ZA (607)