MALWAREBOX::IIM FEEDS published infrastructure chains
← feed

iim.chain.apt.2026.05.009

Webworm GitHub staging to EchoCreep Discord C2

ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.

confirmed IIM v1.1 Webworm
source ESET WeLiveSecurity Webworm report
Raw JSON
entities4
relations3
techniques4
published2026-05-26 14:05:20

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
staging

domain

github[.]com/anjsdgasdf/WordPress

IIM-T006
2
payload

file

EchoCreep DLL

3
c2

domain

discord[.]com / Discord API

IIM-T006IIM-T018
4
redirector

ip

64[.]176[.]85[.]158

IIM-T002IIM-T026

Relations

directed infrastructure edges
e001downloade002 likely
e002communicates-withe003 confirmed
e004referencese001 likely

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 domain github[.]com/anjsdgasdf/WordPress
ESET WeLiveSecurity Webworm report
GitHub repository used to host files in a wp-admin-like path
e002 file EchoCreep DLL
ESET WeLiveSecurity Webworm report
ESET describes EchoCreep as a DLL executed via a Windows shortcut and using Discord API C2
e003 domain discord[.]com / Discord API
ESET WeLiveSecurity Webworm report
Discord APIs used as C2 by EchoCreep
e004 ip 64[.]176[.]85[.]158
ESET WeLiveSecurity Webworm report
Open directory/proxy server on Vultr observed by ESET in Webworm infrastructure

ATT&CK annotations

optional complementary mapping

No ATT&CK annotations included.

Raw IIM JSON canonical body from MANTIS expand 
{
  "actor_id": "Webworm",
  "chain": [
    {
      "entity_id": "e001",
      "needs_review": false,
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006"
      ]
    },
    {
      "entity_id": "e002",
      "needs_review": false,
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e004",
      "needs_review": false,
      "review_notes": "Proxy/open directory infrastructure is associated with Webworm in the same report; not necessarily the direct EchoCreep C2 endpoint.",
      "role": "redirector",
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T002",
        "IIM-T026"
      ]
    }
  ],
  "chain_id": "iim.chain.apt.2026.05.009",
  "confidence": "confirmed",
  "description": "ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.",
  "entities": [
    {
      "evidence": [
        "GitHub repository used to host files in a wp-admin-like path"
      ],
      "id": "e001",
      "source": "ESET Webworm report",
      "type": "domain",
      "value": "github[.]com/anjsdgasdf/WordPress"
    },
    {
      "evidence": [
        "ESET describes EchoCreep as a DLL executed via a Windows shortcut and using Discord API C2"
      ],
      "id": "e002",
      "source": "ESET Webworm report",
      "type": "file",
      "value": "EchoCreep DLL"
    },
    {
      "evidence": [
        "Discord APIs used as C2 by EchoCreep"
      ],
      "id": "e003",
      "source": "ESET Webworm report",
      "type": "domain",
      "value": "discord[.]com / Discord API"
    },
    {
      "evidence": [
        "Open directory/proxy server on Vultr observed by ESET in Webworm infrastructure"
      ],
      "id": "e004",
      "source": "ESET Webworm report",
      "type": "ip",
      "value": "64[.]176[.]85[.]158"
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-osint-report-to-iim-conversion",
  "needs_review": false,
  "observed_at": "2026-05-20T00:00:00Z",
  "relations": [
    {
      "confidence": "likely",
      "from": "e001",
      "sequence_order": 1,
      "to": "e002",
      "type": "download"
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "sequence_order": 2,
      "to": "e003",
      "type": "communicates-with"
    },
    {
      "confidence": "likely",
      "from": "e004",
      "sequence_order": 3,
      "to": "e001",
      "type": "references"
    }
  ],
  "title": "Webworm GitHub staging to EchoCreep Discord C2",
  "x_limitations": "ESET states that the initial entry point was not determined, so this chain starts at the observed staging/C2 layer rather than initial access.",
  "x_report_published_month": "2026-05",
  "x_scope_note": "Published in May 2026; ESET reports a shift to European government targets including Belgium, Italy, Serbia, and Poland.",
  "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
  "x_source_reports": [
    "ESET WeLiveSecurity Webworm report"
  ],
  "x_source_urls": [
    "https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/"
  ]
}