Overview
- ESET reports the China-aligned Webworm pivoted in 2025 to European government targets in Belgium, Italy, Poland, Serbia and Spain, and also hit a university in South Africa.
- The group introduced two backdoors, EchoCreep and GraphWorm, that route commands through Discord and Microsoft Graph with OneDrive to blend with normal cloud traffic.
- Researchers decrypted more than 400 Discord messages, uncovering reconnaissance against over 50 targets and tracing tools to an attacker-run GitHub repository with SoftEther VPN.
- A SoftEther configuration from that repository referenced an IP previously tied to Webworm, and the operators broadened a proxy toolkit that includes WormFrp, ChainWorm, SmuxProxy and WormSocket.
- Webworm pulled configurations from a compromised AWS S3 bucket used for data theft, including files from a Spanish government entity, while the exact break-in methods remain unclear with one Serbian case likely linked to a SquirrelMail flaw.