Webworm APT Expands Operations to Europe with New Backdoors
Severity: High (Score: 75.5)
Sources: Feeds2.Feedburner, infosec.exchange, Eset, www.globenewswire.com, Globenewswire
Published: · Updated:
Keywords: webworm, group, targets, european, organizations, china-aligned, rats
Severity indicators: apt, ics, worm, rat
Summary
The China-aligned APT group Webworm has shifted its focus from Asia to Europe, targeting government organizations in Belgium, Italy, Poland, Serbia, and Spain during 2025. ESET researchers identified new backdoors, EchoCreep and GraphWorm, which utilize Discord and Microsoft Graph API for command-and-control communication. The group has also compromised a university in South Africa. Webworm's tactics have evolved, moving away from traditional RATs like Trochilus and 9002 RAT to more stealthy proxy tools and custom malware. The attackers have been observed using GitHub repositories to stage their malware, enhancing their evasion techniques. Victims have been notified, and some identified services have been taken down. The group is linked to previous operations and continues to adapt its methods. Key Points: • Webworm has expanded its targeting from Asia to European government organizations. • New backdoors EchoCreep and GraphWorm utilize Discord and Microsoft Graph API for C2. • The group is known for staging malware in GitHub repositories to evade detection.
Detailed Analysis
**Impact** Government organizations in Belgium, Italy, Poland, Serbia, and Spain were targeted during 2025, alongside a university in South Africa. The affected sectors include public administration and education, with espionage-focused data exfiltration likely. The operation impacted at least 50 unique targets, with victims spanning multiple European countries and one African institution. Data at risk includes sensitive government information and academic data, with potential operational disruption from persistent backdoor access. **Technical Details** Initial access vectors include exploitation of a vulnerability in the discontinued SquirrelMail webmail service and use of decoy documents with custom loaders. Webworm employs a range of malware including customized versions of Trochilus, Gh0st RAT, and 9002 RAT, alongside new backdoors EchoCreep (Discord-based C2) and GraphWorm (Microsoft Graph API-based C2). The group uses multiple proxy tools—SoftEther VPN, WormFrp, ChainWorm, SmuxProxy, WormSocket—and cloud infrastructure from Vultr, IT7 Networks, and AWS S3 buckets for staging and data exfiltration. Over 400 Discord messages were decrypted, revealing attacker infrastructure and reconnaissance activity. **Recommended Response** Apply patches or mitigations for vulnerabilities in legacy webmail services like SquirrelMail and monitor for unusual Discord and Microsoft Graph API traffic indicative of EchoCreep and GraphWorm activity. Block known IOCs including IP addresses linked to Webworm infrastructure and GitHub repositories used for malware staging. Deploy detections for custom proxy tools and RAT behaviors, and monitor AWS S3 bucket access for anomalous data transfers. Prioritize network segmentation and restrict use of unauthorized VPN and proxy tools to limit lateral movement.
Source articles (12)
- China-Linked Webworm APT Evolves Tactics, Expands to European Targets — Infosecurity-Magazine · 2026-05-20
The China-aligned advanced persistent threat (APT) group Webworm has expanded its victim list beyond Asia, shifting focus to European governmental organizations as it evolves its tactics. Analysis of… - ESET Research discovers new China-aligned group, GopherWhisper: It abuses messaging ... — Eset · 2026-05-20
Dubai, UAE - 29th April 2026 : — ESET researchers have discovered a previously undocumented China-aligned APT group that they named GopherWhisper. The group wields a wide array of tools, mostly writte… - Webworm: New burrowing techniques — Welivesecurity · 2026-05-20
ESET researchers analyzed the 2025 activity of Webworm, a China-aligned APT group that started out targeting organizations in Asia, but has recently shifted its focus to Europe. Even though this is ou… - Webworm APT targets European government organizations with new backdoors — Feeds2.Feedburner · 2026-05-20
ESET has released an analysis of the 2025 activity of Webworm, a China-aligned APT group tracked as Space Pirates and UAT-8302. Active since at least 2022, the group initially focused on targets in As… - Webworm Espionage Rats — symantec-enterprise-blogs.security.com · 2026-05-20
Symantec, by Broadcom Software , has gained insight into the current activities of a group we call Webworm. The group has developed customized versions of three older remote access Trojans (RATs), inc… - China's Webworm Uses Discord, Microsoft Graphs to Hack EU Govts. — Darkreading · 2026-05-22
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific The advanced persistent threat g… - Webworm Uses Discord and Microsoft Graph in Government Attacks — Petri · 2026-05-26
Webworm is abusing trusted cloud services to stealthily target European government networks. A China-linked cyber-espionage group called Webworm is intensifying attacks against European government org… - ESET Research APT Report: China-aligned groups spy in — Globenewswire · 2026-05-28
TALLIN, Estonia, May 27, 2026 (GLOBE NEWSWIRE) -- ESET is proud to announce that it is joining a strategic partnership with NATO alongside Microsoft and Palo Alto Networks. This collaboration is an...… - GlobeNewswire Inc. ESET Research APT Report: China-aligned groups spy in Venezuela and the Gulf, target AI robotics in S. Korea 28 May 2026, 13:00 PM — www.globenewswire.com · 2026-05-30
TALLIN, Estonia, May 27, 2026 (GLOBE NEWSWIRE) -- ESET is proud to announce that it is joining a strategic partnership with NATO alongside Microsoft and Palo Alto Networks. This collaboration is an...… - SharpSecretsdump — github.com · 2026-05-20
- Secretsdump.py — github.com · 2026-05-20
- @ESETresearch — infosec.exchange · 2026-05-20
Timeline
- 2017-04-20 — CVE-2017-7692 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
- 2025-01-01 — Webworm's European targeting begins: Webworm initiates cyber espionage campaigns against government organizations in Europe, marking a shift from its previous focus on Asia.
- 2025-05-19 — ESET presents findings at ESET World: ESET researchers reveal details of Webworm's activities and new tactics during a presentation in Berlin.
- 2025-05-20 — Webworm's activities reported: ESET publishes a comprehensive analysis of Webworm's 2025 campaigns, detailing its new tools and targets.
CVEs
Related entities
- FishMonger (Apt Group)
- GopherWhisper (Apt Group)
- SixLittleMonkeys (Apt Group)
- Webworm (Apt Group)
- Malware (Attack Type)
- Zero-day Exploit (Attack Type)
- Belgium (Country)
- China (Country)
- Czechia (Country)
- Georgia (Country)
- Hungary (Country)
- Italy (Country)
- Mongolia (Country)
- Nigeria (Country)
- Poland (Country)
- Russia (Country)
- Serbia (Country)
- South Africa (Country)
- South Korea (Country)
- Spain (Country)
- CWE-269 - Improper Privilege Management (Cwe)
- CWE-94 - Code Injection (Cwe)
- amazonaws.com (Domain)
- fishmonger.in (Domain)
- powershell.exe.at (Domain)
- proxy.ae (Domain)
- sh.it (Domain)
- socket.io (Domain)
- technologies.it (Domain)
- wamanharipethe.s3.ap-south-1.amazonaws.com (Domain)
- welivesecurity.com (Domain)
- whpjewellers.s3.amazonaws.com (Domain)
- Government (Industry)
- 104.243.23.43 (Ipv4)
- 108.61.200.151 (Ipv4)
- 144.168.60.233 (Ipv4)
- 45.77.13.67 (Ipv4)
- 64.176.85.158 (Ipv4)
- 9002 RAT (Malware)
- BoxOfFriends (Malware)
- CompactGopher (Malware)
- EchoCreep (Malware)
- FriendDelivery (Malware)
- Gh0st RAT (Malware)
- GraphWorm (Malware)
- JabGopher (Malware)
- LaxGopher (Malware)
- McRat (Malware)
- PlugX (Malware)
- RatGopher (Malware)
- SSLORDoor (Malware)
- Trochilus (Malware)
- T1003 - OS Credential Dumping (Mitre Attack)
- T1041 - Exfiltration Over C2 Channel (Mitre Attack)
- T1055 - Process Injection (Mitre Attack)
- T1059.001 - PowerShell (Mitre Attack)
- T1059.003 - Windows Command Shell (Mitre Attack)
- T1071.001 - Web Protocols (Mitre Attack)
- T1071 - Application Layer Protocol (Mitre Attack)
- T1090 - Proxy (Mitre Attack)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- T1548.001 - Setuid And Setgid (Mitre Attack)
- T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
- T1567 - Exfiltration Over Web Service (Mitre Attack)
- T1574 - Hijack Execution Flow (Mitre Attack)
- Amazon S3 (Platform)
- Discord (Platform)
- GitHub (Platform)
- Microsoft 365 Outlook (Platform)
- Microsoft Outlook (Platform)
- Slack (Platform)
- SquirrelMail (Platform)
- Windows (Platform)
- Amazon Web Services (Company)
- file.io (Company)
- Microsoft Graph API (Tool)
- OneDrive (Tool)
- ChainWorm (Tool)
- Dirsearch (Tool)
- FRP (Tool)
- Go-written Iox (Tool)
- Impacket (Tool)
- Nuclei (Tool)
- Secretsdump.py (Tool)
- SharpSecretsdump (Tool)
- SmuxProxy (Tool)
- SoftEther VPN (Tool)
- Whisper.dll (Tool)
- WormFrp (Tool)
- WormSocket (Tool)
- 28d78e52420906794e4059a603fa9f22d5d6e4479d91e9046a97318c83998679 (Sha256)
- 3629d2ce400ce834b1d4b7764a662757a9dc95c1ef56411a7bf38fb5470efa84 (Sha256)
- 6201c604ac7b6093dc8f6f12a92f40161508af1ddffa171946b876442a66927e (Sha256)
- 824100a64c64f711b481a6f0e25812332cc70a13c98357dd26fb556683f8a7c7 (Sha256)
- a618b3041935ec3ece269effba5569b610da212b1aa3968e5645f3e37d478536 (Sha256)
- b9a0602661013d973bc978d64b7abb6bed20cf0498d0def3acb164f0d303b646 (Sha256)
- c71e0979336615e67006e20b24baafb19d600db94f93e3bf64181478dfc056a8 (Sha256)
- e69177e58b65dd21e0bbe4f6caf66604f120e0c835f3ee0d16a45858f5fe9d90 (Sha256)