THE China-aligned advanced persistent threat (APT) group Webworm has expanded its victim list beyond Asia, shifting focus to European governmental organisations as it evolves its tactics, according to Infosecurity Magazine. Analysis of Webworm activity in 2025 by ESET researchers found it targeting government organisations in Belgium, Italy, Poland, Serbia and Spain, with a foray into South Africa affecting a local university.
Speaking during ESET World in Berlin on 19 May, Robert Lipovsky, principal threat researcher at ESET, said there was not necessarily a correlation among the victim organisations and the operation seemed to be semi-opportunistic.
Two new backdoors have been added to the campaign: EchoCreep, a Discord-based backdoor used to upload files, send runtime reports and receive commands, and GraphWorm, which uses the Microsoft Graph API for C2 communication and exclusively leverages OneDrive endpoints to obtain new jobs and upload victim information.
The researchers decrypted over 400 Discord messages, discovered an attacker-operated server used for reconnaissance against more than 50 unique targets, and traced staged artefacts such as the SoftEther VPN application in the attackers’ GitHub repository. The attackers also continued to use proxy tools—some newly added such as WormFrp, ChainWorm, SmuxProxy and WormSocket—to extend their proxy network, and WormFrp has been used to retrieve configurations from a compromised AWS S3 bucket for data exfiltration.