European Targets in Focus: Webworm’s Evolving Tactics
The landscape of cyber threats continues to evolve, and the China-aligned advanced persistent threat (APT) group known as Webworm is significantly expanding its operational focus. Originally concentrated on victims within Asia, Webworm has now broadened its list of targets to include several governmental organizations across Europe, marking a notable shift in its cyber espionage tactics.
According to an analysis conducted by ESET researchers in 2025, Webworm has been implicated in attacks against government entities in Belgium, Italy, Poland, Serbia, and Spain. This is a critical development, as it indicates the group’s intention to exfiltrate sensitive data and gain insights into governmental operations beyond its traditional Asian scope. Robert Lipovsky, a principal threat researcher at ESET, highlighted during the ESET World conference held in Berlin on May 19 that there does not appear to be a direct correlation among the targeted organizations. He characterized the operation as "semi-opportunistic," suggesting that Webworm’s choice of victims may rely more on accessibility than any specific strategic priority.
In addition to its ventures in Europe, Webworm has made strides into South Africa, targeting a local university. While the mechanisms behind Webworm’s infiltration efforts are still being compiled, Lipovsky pointed out a potential vulnerability exploited in the Serbian organization’s case. He indicated that the now-discontinued SquirrelMail webmail service had weaknesses that may have facilitated initial access for the attackers.
New Tools in the Arsenal: Backdoors of Discord and Microsoft Graph
The ongoing evolution of Webworm’s tactics includes the deployment of two newly developed backdoors: EchoCreep and GraphWorm. The EchoCreep backdoor uniquely utilizes Discord as a medium for its operations, enabling file uploads, runtime reports, and command reception via the popular platform. Lipovsky noted that while Discord has been previously identified as a potential backdoor, its usage remains relatively rare among cybercriminals, highlighting an unusual twist in Webworm’s operational methodology.
On the other hand, GraphWorm leverages Microsoft’s Graph API for its command-and-control communications. ESET researchers have detected that this backdoor utilizes OneDrive endpoints to receive tasks and send victim data, a tactic that exemplifies Webworm’s adeptness at employing familiar technologies to mask malicious activity.
During the investigation process, ESET’s team decoded more than 400 messages exchanged on Discord, uncovering a server operated by the attackers that was engaged in reconnaissance against over 50 distinct targets. The insights gained from these decrypted messages facilitated further exploration into the attackers’ GitHub repository, unveiling a cache of staged artifacts, including the SoftEther VPN application. ESET researchers identified an IP address within the SoftEther configuration file that corresponds with known Webworm IPs, further linking this technological trail to the group’s activities.
The Expansion of Webworm’s Network
Webworm’s strategy appears to involve the intricate use of proxy solutions, with some newly developed custom proxy options, including WormFrp, ChainWorm, SmuxProxy, and WormSocket. Collectively, these proxy tools indicate a concerted effort on the part of Webworm to create a more expansive hidden network. ESET experts conveyed that this innovative approach might involve tricking unsuspecting victims into running these proxies, effectively allowing Webworm to funnel traffic through their compromised systems.
Notably, the ChainWorm component serves a crucial function by enhancing the availability of proxies at Webworm’s disposal, thereby adding an additional layer of difficulty for organizations working to counter these threats. Furthermore, WormFrp has been notably engaged in retrieving configurations from compromised Amazon Web Services (AWS) S3 buckets, enabling data exfiltration while cleverly ensuring that the victims footed the bill for the services.
In conclusion, the recent activities and evolving tactics of the Webworm group underscore a significant shift in the cyber threat landscape. By extending its reach beyond Asia and increasingly targeting European governmental organizations, Webworm raises the stakes in the ongoing battle against cyber espionage. As the group’s methods become more complex and sophisticated, organizations must remain vigilant and proactive, adopting comprehensive security measures to safeguard sensitive information from this resurgent threat.