In 2025, Webworm, a China-aligned advanced persistent threat (APT) group, demonstrated a notable transformation in its cyber espionage capabilities. Initially documented in 2022, the group has expanded its targeting scope from primarily focusing on Asian organizations to including government entities across various European countries. This shift is accompanied by a significant evolution in their operational methodologies, particularly through the adoption of stealthier techniques and cloud-based command-and-control (C2) infrastructure.
One of the most striking developments from Webworm is the introduction of a new backdoor named GraphWorm. This sophisticated malware utilizes Microsoft OneDrive, specifically leveraging the Microsoft Graph API, for its C2 communications. This marks a growing trend among cybercriminals who exploit legitimate cloud services, allowing them to mask malicious activities within regular enterprise traffic, thus complicating detection efforts for security systems and professionals.
Historically, Webworm has been linked to other Chinese threat groups such as SixLittleMonkeys and FishMonger. Their earlier campaigns relied heavily on well-known malware families, including McRat and Trochilus. However, a recent report from ESET highlights that Webworm has transitioned away from traditional remote access trojans and is now focusing on lightweight backdoors and proxy tools. This shift not only offers greater flexibility but also reduces the forensic visibility of their operations.
GraphWorm stands as a testament to this strategic transformation. Instead of interacting with servers controlled by attackers, this malware communicates exclusively through OneDrive cloud storage. Upon successfully infecting a target system, GraphWorm generates a unique victim identifier based on various system attributes—such as IP addresses, processor IDs, and hardware serial numbers. This identifier facilitates the creation of a dedicated directory within a OneDrive tenant, effectively isolating each compromised machine and allowing for discrete operational integrity.
Inside the newly established OneDrive directory, GraphWorm categorizes its functions into subfolders designed for tasking, results, and file transfers. Commands issued by attackers are stored in a designated “job” folder, with execution results uploaded to a “result” directory, thereby maintaining an organized malware operation. Furthermore, GraphWorm is capable of executing large-scale data exfiltration by utilizing the Microsoft Graph API endpoint, enabling efficient file transfers from compromised systems back to the attackers.
For added security, all communications through GraphWorm employ AES-256-CBC encryption and are encoded with Base64 before transmission, offering another layer of obfuscation against potential detection. Additionally, the malware supports proxy configurations, allowing attackers to channel traffic through intermediary systems, further evading detection by network monitoring tools.
In conjunction with GraphWorm, Webworm has deployed another backdoor named EchoCreep, which uses Discord as its C2 communication channel. Researchers from ESET decrypted over 400 messages on Discord, shedding light on various operational methodologies employed by the group. These messages revealed critical insights into the organization of their attacks, including tracking victims, executing commands, and managing file transfers. Each victim is allocated a dedicated Discord channel, signifying a meticulously structured workflow within the group’s operations.
Beyond the use of backdoors, Webworm has broadened its toolkit to include custom proxy tools such as WormFrp, ChainWorm, SmuxProxy, and WormSocket. These tools empower the group to route traffic intricately across numerous compromised systems, essentially forming a concealed relay network that obscures their activities. The infrastructure leveraged for such operations relies heavily on cloud hosting providers like Vultr and IT7 Networks, further camouflaging the attackers’ movements.
Investigations have also revealed the exploitation of a misconfigured Amazon S3 bucket, which was utilized to store stolen data and tool configurations. The files retrieved from this bucket included virtual machine snapshots, credential dumping utilities, and sensitive data from various European government entities. This finding highlights successful post-exploitation activities and suggests potential lateral movement within targeted environments.
Additionally, Webworm has continued its practice of utilizing GitHub repositories as staging platforms for malware. By masquerading malicious repositories as legitimate projects, such as a forked WordPress repository, the group effectively facilitates payload deliveries while minimizing suspicion. The ongoing analysis from ESET indicates that Webworm also depends on open-source tools like dirsearch and nuclei to seek vulnerabilities in target systems. Evidence has surfaced indicating attempts to exploit known vulnerabilities, such as CVE-2017-7692 in SquirrelMail, which may have been utilized for initial access in certain cases.
In 2025, the group’s campaign targeted various organizations across Belgium, Italy, Poland, Serbia, and Spain, with noticeable activity extending into South Africa. This geographical expansion underscores Webworm’s evolving strategic priorities and its increasing operational sophistication. The adoption of trusted platforms like OneDrive and Discord for C2 communication illustrates the modern threat actors’ trend of leveraging credible services to circumvent traditional security measures. As Webworm refines its techniques, cybersecurity professionals face escalating challenges in differentiating between legitimate cloud traffic and potentially harmful activities.