MALWAREBOX::IIM FEEDS published infrastructure chains
← feed

webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane

Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane

ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.

confirmed IIM v1.1 Webworm
source ESET WeLiveSecurity Webworm report
Raw JSON
entities5
relations4
techniques3
published2026-05-26 14:05:46

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
payload

file

GraphWorm payload

2
c2

domain

graph.microsoft.com / Microsoft Graph API

IIM-T006IIM-T018
3
c2

domain

onedrive.live.com / OneDrive-backed storage

IIM-T006IIM-T018
4
payload

file

WormFrp reverse proxy / exfiltration component

5
staging

domain

wamanharipethe.s3.ap-south-1.amazonaws[.]com

IIM-T002IIM-T006

Relations

directed infrastructure edges
e001communicates-withe002 confirmed
e001communicates-withe003 confirmed
e004communicates-withe005 confirmed
e004referencese001 likely

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 file GraphWorm payload
ESET WeLiveSecurity Webworm report
Backdoor using Microsoft Graph API / OneDrive as C2
e002 domain graph.microsoft.com / Microsoft Graph API
ESET WeLiveSecurity Webworm report
GraphWorm uses Microsoft Graph API endpoint including createUploadSession behavior
e003 domain onedrive.live.com / OneDrive-backed storage
ESET WeLiveSecurity Webworm report
Cloud-storage-backed C2 channel for GraphWorm
e004 file WormFrp reverse proxy / exfiltration component
ESET WeLiveSecurity Webworm report
ESET reports WormFrp supports reconnaissance and data exfiltration using S3 bucket infrastructure
e005 domain wamanharipethe.s3.ap-south-1.amazonaws[.]com
ESET WeLiveSecurity Webworm report
S3 bucket believed compromised or misconfigured and used for WormFrp-related data handling

ATT&CK annotations

optional complementary mapping

No ATT&CK annotations included.

Raw IIM JSON canonical body from MANTIS expand 
{
  "actor_id": "Webworm",
  "chain": [
    {
      "entity_id": "e001",
      "needs_review": false,
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e002",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e003",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e004",
      "needs_review": false,
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e005",
      "needs_review": false,
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T002",
        "IIM-T006"
      ]
    }
  ],
  "chain_id": "webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane",
  "confidence": "confirmed",
  "description": "ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.",
  "entities": [
    {
      "evidence": [
        "Backdoor using Microsoft Graph API / OneDrive as C2"
      ],
      "id": "e001",
      "source": "ESET Webworm report",
      "type": "file",
      "value": "GraphWorm payload"
    },
    {
      "evidence": [
        "GraphWorm uses Microsoft Graph API endpoint including createUploadSession behavior"
      ],
      "id": "e002",
      "source": "ESET Webworm report",
      "type": "domain",
      "value": "graph.microsoft.com / Microsoft Graph API"
    },
    {
      "evidence": [
        "Cloud-storage-backed C2 channel for GraphWorm"
      ],
      "id": "e003",
      "source": "ESET Webworm report",
      "type": "domain",
      "value": "onedrive.live.com / OneDrive-backed storage"
    },
    {
      "evidence": [
        "ESET reports WormFrp supports reconnaissance and data exfiltration using S3 bucket infrastructure"
      ],
      "id": "e004",
      "source": "ESET Webworm report",
      "type": "file",
      "value": "WormFrp reverse proxy / exfiltration component"
    },
    {
      "evidence": [
        "S3 bucket believed compromised or misconfigured and used for WormFrp-related data handling"
      ],
      "id": "e005",
      "source": "ESET Webworm report",
      "type": "domain",
      "value": "wamanharipethe.s3.ap-south-1.amazonaws[.]com"
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-osint-report-to-iim-conversion",
  "needs_review": false,
  "observed_at": "2026-05-20T00:00:00Z",
  "relations": [
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 1,
      "to": "e002",
      "type": "communicates-with"
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 2,
      "to": "e003",
      "type": "communicates-with"
    },
    {
      "confidence": "confirmed",
      "from": "e004",
      "sequence_order": 3,
      "to": "e005",
      "type": "communicates-with"
    },
    {
      "confidence": "likely",
      "from": "e004",
      "sequence_order": 4,
      "to": "e001",
      "type": "references",
      "x_note": "Same Webworm intrusion set/tooling report; modeled as a related cloud-service infrastructure lane."
    }
  ],
  "title": "Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane",
  "x_limitations": "This is a tool-to-cloud-service infrastructure chain, not a full initial-access chain; the report did not identify the initial entry point.",
  "x_report_published_month": "2026-05",
  "x_scope_note": "Published in May 2026; selected because the report gives concrete cloud-service infrastructure used by Webworm tooling against European targets.",
  "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
  "x_source_reports": [
    "ESET WeLiveSecurity Webworm report"
  ],
  "x_source_urls": [
    "https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/"
  ]
}