Researchers at ESET have published a detailed analysis of Webworm's 2025 operations, a China-aligned Advanced Persistent Threat (APT) group previously focused on organizations in Asia. The group has now expanded its activities to Europe, targeting government bodies in Belgium, Italy, Poland, Serbia, and Spain, while also partnering with a university in South Africa.[1]
The Webworm threat group has links to other China-aligned actors, including SixLittleMonkeys and FishMonger. In earlier campaigns, it relied on established malware such as McRat (also known as 9002 RAT) and Trochilus, but has since shifted toward stealthier tools, including proxies and custom backdoors. In 2025, Webworm introduced two custom backdoors. EchoCreep communicates exclusively through the free online chat platform Discord, uploading files, sending runtime reports, and receiving commands via crafted HTTP requests to Discord APIs. ESET analysts decrypted more than 400 messages from an attacker-controlled server and identified four unique channels, each linked to a different victim.
The second backdoor, GraphWorm, abuses the Microsoft Graph API and relies on OneDrive endpoints. It creates a dedicated directory for each victim to retrieve new tasks and exfiltrate information. The backdoor can handle large files through the /createUploadSession endpoint. The group has also expanded its proxy capabilities. Alongside existing open-source tools such as iox and frp, Webworm now deploys custom solutions named WormFrp, ChainWorm, SmuxProxy, and WormSocket. These proxies support encryption and multi-host chaining, both internally and externally.
All proxy and VPN infrastructure runs on cloud servers hosted by Vultr and IT7 Networks. Analysts believe the actor may be building a larger hidden network by compromising victims to run these proxies. ESET recovered commands from the attacker-operated server that revealed reconnaissance activity against more than 50 unique targets. The server contained evidence of an open-source vulnerability scanner in use. Attribution to Webworm was confirmed through a GitHub repository linked via decrypted Discord messages from EchoCreep. The repository contained staged artifacts, including a SoftEther VPN configuration file that included an IP address previously associated with the group.
Webworm has begun abusing a compromised Amazon Web Services S3 bucket (wamanharipethe.s3.ap-south-1.amazonaws.com) to store configurations and exfiltrated data. The bucket appears to originate from a legitimate business (whpjewellers) whose storage costs the victim’s organization now bears. Between December 2025 and January 2026, the actors uploaded 20 new files, including two from a Spanish government entity: an mRemoteNG XML configuration and a Microsoft Visio diagram of the infrastructure. Earlier uploads included virtual machine snapshots from an Italian government environment and the credential-dumping tool SharpSecretsdump.
Webworm has moved away from full-featured remote access trojans such as Trochilus and McRat in favor of these lighter, harder-to-detect tools. The group continues to stage malware on GitHub repositories for direct delivery to victims. Services identified during the investigation, including the GitHub repository and the compromised S3 bucket, have since been taken down. Affected organizations were notified.
In an expert comment, ESET researcher Eric Howard said: “Through our analysis, we were fortunate enough to recover commands executed from a server that gave a view into the group’s potential initial access techniques, using an open-source vulnerability scanner as well as identifying some of its focused targets.” The full research highlights Webworm’s continued evolution toward stealth and its growing interest in European governmental networks
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/chinese-apt-group-webworm-shifts-target-to-europe-9402.html
Comments