The China-aligned advanced persistent threat (APT) group Webworm has expanded its victim list beyond Asia, shifting focus to European governmental organizations as it evolves its tactics.

Analysis of Webworm activity in 2025 by ESET researchers found it targeting government organizations in Belgium, Italy, Poland, Serbia and Spain. The group is known for its cyber espionage campaigns.

Speaking during ESET World in Berlin on 19 May, Robert Lipovsky, principal threat researcher at ESET, said that there was not necessarily a correlation among the victim organizations and the operation seemed to be “semi-opportunistic”.

Alongside the European ventures, Webworm made a foray into South Africa, compromising a local university.

While the exact entry point for Webworm campaigns in not 100% clear, Lipovsky noted that in the case of the Serbian victim organization, a vulnerability in the now discontinued SquirrelMail webmail service was identified as a likely way for the attacker to gain initial access.

Two New Backdoors Added to Webworm Campaign

The group has deployed two new backdoors including the Discord-based EchoCreep and the Microsoft Graph-based GraphWorm.

The EchoCreep backdoor uses Discord to upload files, send runtime reports and receive commands.

Lipovsky said it is not the first time Discord has been identified as being used as a backdoor, but it is certainly not very common.

GraphWorm uses Microsoft Graph application programmable interface (API) for command-and-control (C2) communication. ESET researchers also discovered that it uses OneDrive endpoints exclusively, specifically to get new jobs and to upload victim information.

During the investigation, the team decrypted over 400 Discord messages and discovered an attacker-operated server used for reconnaissance against more than 50 unique targets.

The information from the decrypted messages led researchers to the attackers’ GitHub repository, which contained staged artifacts such as the SoftEther VPN application.

Inside the SoftEther configuration file, ESET said it found an IP address that matches a known Webworm IP.

The attackers also continued to use proxy solutions, some of which were newly added custom proxy solutions in WormFrp, ChainWorm, SmuxProxy and WormSocket.

Based on the number of proxy tools and their complexities, Webworm may be creating a much larger hidden network by tricking victims into running its proxies, ESET noted.

The ChainWorm element is specifically used to extend the network of proxies available to Webworm.

Finally, WormFrp has been used to retrieve configurations from a compromised Amazon Web Services (AWS) S3 bucket. Through the S3 bucket, Webworm has been able to leverage data exfiltration and the victim user pays for the service.