ESET Research#ESETresearch analyzed 2025 activity of the 🇨🇳-aligned Webworm APT group, focusing on its evolving toolset and techniques. https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
Webworm’s latest campaigns mark a shift in its targeting away from Asia toward Europe and Africa. In 2025, it attacked governmental entities in 🇧🇪 Belgium, 🇮🇹 Italy, 🇷🇸 Serbia, 🇪🇸 Spain and 🇵🇱 Poland, as well as a university in 🇿🇦 South Africa.
The group seems to have stopped deploying the Trochilus and McRat backdoors; instead, it introduced new, custom-made backdoors: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose.
On an operator server, we discovered a directory listing with open-source utilities used to scrape victim web server files and directories, and to search for vulnerabilities within. One directory contained reconnaissance commands used against more than 50 unique targets.
While going over EchoCreep’s Discord messages, we uncovered a GitHub repository that was a direct fork of the legitimate WordPress repository. Webworm uses it as a file stager for its tools and malware.
The group also continues to employ various proxy utilities. In 2025, it added four custom-made ones to its arsenal: WormFrp, ChainWorm, SmuxProxy, and WormSocket.
We presented these findings at #ESETWorld2026 in a talk titled: China-aligned Webworm targets EU countries, abuses Discord and government-hosted public apps.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/webworm
Webworm’s latest campaigns mark a shift in its targeting away from Asia toward Europe and Africa. In 2025, it attacked governmental entities in 🇧🇪 Belgium, 🇮🇹 Italy, 🇷🇸 Serbia, 🇪🇸 Spain and 🇵🇱 Poland, as well as a university in 🇿🇦 South Africa.
The group seems to have stopped deploying the Trochilus and McRat backdoors; instead, it introduced new, custom-made backdoors: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose.
On an operator server, we discovered a directory listing with open-source utilities used to scrape victim web server files and directories, and to search for vulnerabilities within. One directory contained reconnaissance commands used against more than 50 unique targets.
While going over EchoCreep’s Discord messages, we uncovered a GitHub repository that was a direct fork of the legitimate WordPress repository. Webworm uses it as a file stager for its tools and malware.
The group also continues to employ various proxy utilities. In 2025, it added four custom-made ones to its arsenal: WormFrp, ChainWorm, SmuxProxy, and WormSocket.
We presented these findings at #ESETWorld2026 in a talk titled: China-aligned Webworm targets EU countries, abuses Discord and government-hosted public apps.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/webworm
