China-Linked Webworm APT Expands to European Governments with New Backdoors
ESET reveals that the China-linked APT group Webworm has expanded its cyber espionage operations beyond Asia, now targeting European government organizations with two new backdoors.
The China-aligned advanced persistent threat (APT) group known as Webworm has significantly broadened its geographic focus, moving beyond its traditional Asian targets to infiltrate government organizations across Europe. According to new research from ESET presented at ESET World in Berlin on May 19, the group has been actively targeting governmental bodies in Belgium, Italy, Poland, Serbia, and Spain throughout 2025. This expansion marks a notable evolution in Webworm's operational scope and demonstrates its growing capabilities in cyber espionage.
ESET principal threat researcher Robert Lipovsky described the campaign as "semi-opportunistic," noting that there was no clear correlation among the victim organizations. Alongside its European ventures, Webworm also compromised a university in South Africa, further illustrating its widening net. While the exact initial access vectors remain unclear for most victims, Lipovsky identified a vulnerability in the now-discontinued SquirrelMail webmail service as a likely entry point for the attack on the Serbian organization.
Webworm has deployed two new backdoors to support its expanded operations: EchoCreep and GraphWorm. EchoCreep leverages Discord for command-and-control (C2) communication, using the platform to upload files, send runtime reports, and receive commands. While Discord-based malware is not unprecedented, Lipovsky noted it remains relatively uncommon. GraphWorm, on the other hand, uses the Microsoft Graph API for C2, specifically relying on OneDrive endpoints to fetch new instructions and exfiltrate victim data.
During their investigation, ESET researchers decrypted over 400 Discord messages, leading them to an attacker-operated server used for reconnaissance against more than 50 unique targets. The decrypted messages also pointed to a GitHub repository containing staged artifacts, including the SoftEther VPN application. Inside the SoftEther configuration file, researchers found an IP address matching a known Webworm infrastructure, confirming the link.
The group has also expanded its proxy toolkit, adding custom solutions such as WormFrp, ChainWorm, SmuxProxy, and WormSocket. ChainWorm is specifically designed to extend Webworm's network of proxies, potentially creating a large hidden network by tricking victims into running proxy software. WormFrp retrieves configurations from a compromised Amazon Web Services (AWS) S3 bucket, allowing the attackers to leverage data exfiltration while the victim pays for the service.
Webworm's evolution reflects a broader trend among state-sponsored APT groups to diversify their tooling and expand their geographic reach. The use of legitimate cloud services like Discord, Microsoft Graph, and AWS for C2 and data exfiltration makes detection more challenging for defenders. As Webworm continues to refine its tactics, European government organizations must remain vigilant and bolster their defenses against these sophisticated espionage campaigns.
New research from The Hacker News details that Webworm's 2025 toolkit includes two specifically named custom backdoors — EchoCreep and GraphWorm — which abuse Discord and Microsoft Graph API for command-and-control communications. This builds on ESET's prior reporting of the group's expansion into European targets, providing additional technical granularity on the malware's C2 channels that leverage legitimate cloud services to evade network defenses.
ESET's analysis of decrypted Discord messages revealed reconnaissance activity involving more than 50 unique targets, and uncovered an attacker-operated GitHub repository hosting malware and tools including SoftEther VPN. The group also compromised an AWS S3 bucket to exfiltrate data, with two files stolen from a Spanish government organization between December 2025 and January 2026.