EchoCreep
EchoCreep is a Go-based backdoor used by the China-aligned threat actor Webworm, also tracked as Space Pirates and UAT-8302. ESET reported it as one of two new backdoors introduced in Webworm’s 2025 campaigns. EchoCreep uses Discord for command-and-control, including crafted HTTP requests to Discord APIs, and supports receiving commands, sending runtime reports, and uploading files; reporting also states it supports file download and command execution via cmd.exe. Recovered telemetry cited 433 decrypted Discord messages across four victim-specific channels, with the earliest observed commands on 2024-03-21 and the first actual compromise in recovered logs assessed on 2025-04-09. EchoCreep decodes commands with base64 and decrypts them using AES-CBC-128. A persistence artifact associated with EchoCreep is the scheduled task name "MicrosoftSSHUpdate," and related detection content references the handshake string "Up Success." One identified sample is SearchApp.exe, SHA-1 CB4E50433336707381429707F59C3CBE8D497D98, detected by ESET as WinGo/Agent.ZK. EchoCreep was observed in Webworm operations targeting government organizations in Belgium, Italy, Poland, Serbia, and Spain, as well as activity involving a university in South Africa. The initial access and delivery mechanism for EchoCreep are reported as unknown.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
More YARA rules (in the case-folder YARA file): EchoCreep (HIGH) -- adds MicrosoftSSHUpdate task name, Up Success handshake string, and Discord-JSON field literals.
According to ESET, the group’s latest campaigns introduced two new backdoors: EchoCreep and GraphWorm. EchoCreep uses Discord for C&C communication, allowing attackers to upload files, send runtime reports, and receive commands.
According to ESET, the group’s latest campaigns introduced two new backdoors: EchoCreep and GraphWorm. EchoCreep uses Discord for C&C communication, allowing attackers to upload files, send runtime reports, and receive commands.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueWebworm staged tools in its GitHub repo for direct download onto compromised systems.
Execution
3 techniquesEchoCreep is executed under the custom-created MicrosoftSSHUpdate scheduled task.
EchoCreep and GraphWorm both use the Windows command line to execute operator commands.
Persistence
2 techniquesPrivilege Escalation
2 techniquesStealth
3 techniquesGraphWorm and EchoCreep use encryption and encoding techniques to obfuscate data.
the use of a GitHub repository impersonating a WordPress fork ("github[.]com/anjsdgasdf/WordPress") as a staging ground for malware and tools like SoftEther VPN in an effort to blend in and fly under the radar.
Lateral Movement
1 techniqueGraphWorm and EchoCreep use API keys to communicate with the C&C infrastructure.
Collection
1 techniqueBoth EchoCreep and GraphWorm can collect data from the local system.
Command and Control
7 techniquesEchoCreep uses Discord for C&C communication, allowing attackers to upload files, send runtime reports, and receive commands. GraphWorm relies on Microsoft Graph API and OneDrive endpoints to retrieve tasks and upload victim information. | By decrypting more than 400 Discord messages used for command-and-control (C&C) communication, ESET gained visibility into the group’s infrastructure and operations.
EchoCreep backdoor using Discord for C&C. ... GraphWorm backdoor using the Microsoft Graph API for C&C.
EchoCreep (HIGH) -- adds MicrosoftSSHUpdate task name, Up Success handshake string, and Discord-JSON field literals.
EchoCreep and GraphWorm use Discord and the Microsoft Graph API for C&C infrastructure.
This confirms the actor delivers tools through operator-controlled open directories, not mass-mail or drive-by chains.
EchoCreep, GraphWorm, and WormSocket make use of base64 encoding.
EchoCreep, GraphWorm, WormSocket, and WormFrp use AES in some capacity.
Exfiltration
1 techniqueEchoCreep and GraphWorm exfiltrate data to their respective C&C infrastructures.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom backdoor used by Webworm that communicates over Discord for C2 and supports file upload/download plus command execution via cmd.exe.
A Go-written backdoor that uses Discord for C&C communication, supports file upload/download, shell execution, and sleep commands, and communicates through crafted HTTP requests to Discord APIs.
A backdoor used for command-and-control over Discord, enabling file uploads, runtime reporting, and receipt of attacker commands.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.