{
  "actor_id": "Webworm",
  "chain": [
    {
      "entity_id": "e001",
      "needs_review": false,
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006"
      ]
    },
    {
      "entity_id": "e002",
      "needs_review": false,
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e004",
      "needs_review": false,
      "review_notes": "Proxy/open directory infrastructure is associated with Webworm in the same report; not necessarily the direct EchoCreep C2 endpoint.",
      "role": "redirector",
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T002",
        "IIM-T026"
      ]
    }
  ],
  "chain_id": "iim.chain.apt.2026.05.009",
  "confidence": "confirmed",
  "description": "ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.",
  "entities": [
    {
      "evidence": [
        "GitHub repository used to host files in a wp-admin-like path"
      ],
      "id": "e001",
      "source": "ESET Webworm report",
      "type": "domain",
      "value": "github[.]com/anjsdgasdf/WordPress"
    },
    {
      "evidence": [
        "ESET describes EchoCreep as a DLL executed via a Windows shortcut and using Discord API C2"
      ],
      "id": "e002",
      "source": "ESET Webworm report",
      "type": "file",
      "value": "EchoCreep DLL"
    },
    {
      "evidence": [
        "Discord APIs used as C2 by EchoCreep"
      ],
      "id": "e003",
      "source": "ESET Webworm report",
      "type": "domain",
      "value": "discord[.]com / Discord API"
    },
    {
      "evidence": [
        "Open directory/proxy server on Vultr observed by ESET in Webworm infrastructure"
      ],
      "id": "e004",
      "source": "ESET Webworm report",
      "type": "ip",
      "value": "64[.]176[.]85[.]158"
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-osint-report-to-iim-conversion",
  "needs_review": false,
  "observed_at": "2026-05-20T00:00:00Z",
  "relations": [
    {
      "confidence": "likely",
      "from": "e001",
      "sequence_order": 1,
      "to": "e002",
      "type": "download"
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "sequence_order": 2,
      "to": "e003",
      "type": "communicates-with"
    },
    {
      "confidence": "likely",
      "from": "e004",
      "sequence_order": 3,
      "to": "e001",
      "type": "references"
    }
  ],
  "title": "Webworm GitHub staging to EchoCreep Discord C2",
  "x_limitations": "ESET states that the initial entry point was not determined, so this chain starts at the observed staging/C2 layer rather than initial access.",
  "x_report_published_month": "2026-05",
  "x_scope_note": "Published in May 2026; ESET reports a shift to European government targets including Belgium, Italy, Serbia, and Poland.",
  "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
  "x_source_reports": [
    "ESET WeLiveSecurity Webworm report"
  ],
  "x_source_urls": [
    "https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/"
  ]
}