Skip to main content
Threat IntelligenceEmerging Threats

Webworm APT Expands European Reach with Evolved Tactics

Government building facade with people walking in distance, laptop screen in foreground showing blurred code.

“semi-opportunistic,” Robert Lipovsky, principal threat researcher at ESET, said during ESET World in Berlin on 19 May when describing Webworm’s targeting pattern.

Webworm expands its reach to European governments and South Africa

ESET researchers’ analysis of Webworm activity in 2025 shows the China-aligned advanced persistent threat (APT) group moving beyond its prior Asia-focused campaigns and targeting government organizations in Belgium, Italy, Poland, Serbia and Spain. The team also documented a separate intrusion that compromised a local university in South Africa. Lipovsky told the conference that there was not necessarily a correlation among the victim organizations, describing the operation as “semi-opportunistic.”

Two new backdoors: EchoCreep and GraphWorm

During the investigation, ESET identified two newly deployed backdoors in Webworm operations. EchoCreep is a Discord-based backdoor that uses the Discord platform to upload files, send runtime reports and receive commands. GraphWorm relies on the Microsoft Graph application programming interface (API) for command-and-control communications and, according to ESET, uses OneDrive endpoints exclusively to fetch new jobs and to upload victim information.

Discord artefacts, decrypted messages and a GitHub breadcrumb trail

ESET researchers decrypted over 400 Discord messages and discovered an attacker-operated server that the adversary used for reconnaissance against more than 50 unique targets. Information pulled from those decrypted messages led the team to an attackers’ GitHub repository containing staged artifacts, including the SoftEther VPN application. Inside a SoftEther configuration file, ESET reported finding an IP address that matches a known Webworm IP — a linkage that tied the attacker tooling to observed infrastructure.

Proxy tooling and a growing hidden network: WormFrp, ChainWorm, SmuxProxy, WormSocket

Webworm’s toolset also features a range of proxy solutions, some newly added and custom-built. ESET named WormFrp, ChainWorm, SmuxProxy and WormSocket among the proxy elements observed. ChainWorm is specifically used to extend the network of proxies available to the group. ESET noted that, given the number of proxy tools and their complexity, Webworm may be constructing a much larger hidden network by tricking victims into running its proxies.

WormFrp was observed retrieving configurations from a compromised Amazon Web Services (AWS) S3 bucket. ESET said that, through that S3 bucket, Webworm has been able to leverage data exfiltration in a way that causes the victim user to pay for the service.

What this means for European governmental organizations, South African universities, and AWS S3 custodians

  • European governmental organizations: The shift in victims to Belgium, Italy, Poland, Serbia and Spain demonstrates that Webworm’s operational focus can extend across borders and target government networks; the group’s use of Discord and Microsoft Graph as transport channels underscores a preference for blending into legitimate cloud and social platforms.
  • South African universities: The documented compromise of a local university highlights that academic networks are included in Webworm’s scope and may be exposed by legacy services — in the Serbian case ESET identified a vulnerability in the discontinued SquirrelMail webmail service as a likely initial access vector.
  • AWS S3 custodians and cloud operators: ESET’s finding that WormFrp retrieved configurations from a compromised S3 bucket — and that the adversary used the bucket to exfiltrate data while billing the victim — is a concrete example of attackers abusing cloud storage for both operational convenience and to offload cost.

Conclusion: a hybrid of social, cloud and proxy techniques that widens operational options

ESET’s 2025 analysis sketches a Webworm campaign that layers relatively novel choices — Discord for C2, Microsoft Graph/OneDrive for job delivery and collection, plus a suite of custom proxy tools — atop more familiar espionage objectives. Decrypted Discord traffic, a GitHub staging area and a SoftEther configuration tying an IP to known Webworm infrastructure provide direct technical links between tooling and targets. Whether that hybrid model lets Webworm scale further across Europe and other regions will hinge on how defenders detect and disrupt the combination of social platforms, cloud APIs and proxy networks the group is now using.

Original story: Infosecurity Magazine — Webworm APT Evolves Tactics