{ "actor_id": "Webworm", "chain": [ { "entity_id": "e001", "needs_review": false, "role": "payload", "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e002", "needs_review": false, "role": "c2", "role_confidence": "confirmed", "technique_confidence": "confirmed", "techniques": [ "IIM-T006", "IIM-T018" ] }, { "entity_id": "e003", "needs_review": false, "role": "c2", "role_confidence": "confirmed", "technique_confidence": "confirmed", "techniques": [ "IIM-T006", "IIM-T018" ] }, { "entity_id": "e004", "needs_review": false, "role": "payload", "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e005", "needs_review": false, "role": "staging", "role_confidence": "confirmed", "technique_confidence": "confirmed", "techniques": [ "IIM-T002", "IIM-T006" ] } ], "chain_id": "webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane", "confidence": "confirmed", "description": "ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.", "entities": [ { "evidence": [ "Backdoor using Microsoft Graph API / OneDrive as C2" ], "id": "e001", "source": "ESET Webworm report", "type": "file", "value": "GraphWorm payload" }, { "evidence": [ "GraphWorm uses Microsoft Graph API endpoint including createUploadSession behavior" ], "id": "e002", "source": "ESET Webworm report", "type": "domain", "value": "graph.microsoft.com / Microsoft Graph API" }, { "evidence": [ "Cloud-storage-backed C2 channel for GraphWorm" ], "id": "e003", "source": "ESET Webworm report", "type": "domain", "value": "onedrive.live.com / OneDrive-backed storage" }, { "evidence": [ "ESET reports WormFrp supports reconnaissance and data exfiltration using S3 bucket infrastructure" ], "id": "e004", "source": "ESET Webworm report", "type": "file", "value": "WormFrp reverse proxy / exfiltration component" }, { "evidence": [ "S3 bucket believed compromised or misconfigured and used for WormFrp-related data handling" ], "id": "e005", "source": "ESET Webworm report", "type": "domain", "value": "wamanharipethe.s3.ap-south-1.amazonaws[.]com" } ], "iim_version": "1.1", "import_source": "manual-osint-report-to-iim-conversion", "needs_review": false, "observed_at": "2026-05-20T00:00:00Z", "relations": [ { "confidence": "confirmed", "from": "e001", "sequence_order": 1, "to": "e002", "type": "communicates-with" }, { "confidence": "confirmed", "from": "e001", "sequence_order": 2, "to": "e003", "type": "communicates-with" }, { "confidence": "confirmed", "from": "e004", "sequence_order": 3, "to": "e005", "type": "communicates-with" }, { "confidence": "likely", "from": "e004", "sequence_order": 4, "to": "e001", "type": "references", "x_note": "Same Webworm intrusion set/tooling report; modeled as a related cloud-service infrastructure lane." } ], "title": "Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane", "x_limitations": "This is a tool-to-cloud-service infrastructure chain, not a full initial-access chain; the report did not identify the initial entry point.", "x_report_published_month": "2026-05", "x_scope_note": "Published in May 2026; selected because the report gives concrete cloud-service infrastructure used by Webworm tooling against European targets.", "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.", "x_source_reports": [ "ESET WeLiveSecurity Webworm report" ], "x_source_urls": [ "https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/" ] }