ESET researchers analyzed the 2025 activity of Webworm, a China-aligned APT group that started out targeting organizations in Asia, but has recently shifted its focus to Europe. Even though this is our first public blogpost on the group, we have been observing Webworm’s activities ever since Symantec first reported on this threat actor in 2022. Over the years, we have seen that this threat actor continually changes its tactics, techniques, and procedures (TTPs).
Webworm is linked to other China-aligned APT groups such as SixLittleMonkeys and FishMonger. In the past, it made use of well-known malware families such as McRat (aka 9002 RAT) and Trochilus, though in recent years, it has started moving toward both existing and custom proxy tools, which are more stealthy than full-fledged backdoors. In 2025, Webworm also added two new backdoors to its toolset: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose. The group is also known for staging its malware and tools in GitHub repositories, ensuring that malware can be directly downloaded onto the victim’s machine.
Key points of this post:
- Since its discovery in 2022, the Webworm APT group has been actively updating its toolset and targeting.
- In 2025, the group started employing backdoors that use Discord and Microsoft Graph API for C&C communication.
- ESET researchers decrypted over 400 Discord messages and a bash history file discovered on an operator server with reconnaissance commands used against more than 50 unique targets.
- In addition to backdoors, Webworm leverages multiple existing and custom proxy tools.
- The group uses GitHub to stage its malware.
We attribute the 2025 campaign to Webworm based on the information we discovered after decrypting the Discord messages used by the EchoCreep backdoor for C&C communication. The information led us to the attackers’ GitHub repository, which contained staged artifacts such as the SoftEther VPN application. Inside the SoftEther configuration file, we found an IP address that matches a known Webworm IP.
Victims who were impacted by Webworm from countries mentioned later in this post have been appropriately notified. In addition, services we have identified, such as a GitHub repository and an S3 bucket, have been taken down.
Evolving Approach
In 2022, one of Webworm’s main characteristics was the use of established backdoors and remote access trojans (RATs) such as McRat and Trochilus. As described in the Symantec blogpost, the group originally targeted mainly countries in Asia.
In 2024, we observed that the group started to move away from traditional backdoors in favor of legitimate or semi-legitimate tools, such as SOCKS proxies (SoftEther VPN) and other networking solutions. While these help Webworm evade detection, they also lack the full set of commands typically available in backdoors, so the operators have to rely on command interpreters such as cmd.exe or powershell.exe.
At that time, we also saw that the group started to slow down operations in Asia and shift its focus toward European countries. This trend continued in 2025, with the attacks we observed targeting governmental organizations in Belgium, Italy, Serbia, and Poland. At the same time, Webworm also made a foray into South Africa, compromising a local university.
In these latest campaigns, Webworm seems to have abandoned Trochilus and McRat altogether, while continuing to expand its toolset. Chief among the new tools are two new backdoors: the Discord-based EchoCreep, and the Microsoft Graph-based GraphWorm. While the group continued to use existing proxy solutions, specifically the Go-written iox (port forwarding and intranet proxy tool) and frp (fast reverse proxy), it also added custom proxy solutions WormFrp, ChainWorm, SmuxProxy, and WormSocket.
These custom proxy tools are not only capable of encrypting communications, but also support chaining across multiple hosts both internally and externally to a network. We believe that the operators use these tools in conjunction with SoftEther VPN to better cover their tracks and increase the stealth of their activities. All Webworm proxies and VPN services are cloud servers that belong to network infrastructure controlled by Vultr and IT7 Networks. Based on the number of proxy tools and their complexities, Webworm may be creating a much larger hidden network by tricking victims into running its proxies.
Discord and Microsoft Graph API C&C Communication
In 2025, Webworm started abusing Discord and Microsoft Graph API for C&C communication. While analyzing the EchoCreep backdoor, we managed to uncover more than 400 Discord messages. We also found four unique channels, each corresponding to a different victim. EchoCreep uses Discord to upload files, send runtime reports, and receive commands. The backdoor’s network communication passes through Discord APIs using crafted HTTP requests.
In the case of GraphWorm, which uses Microsoft Graph API for C&C communication, we discovered that it uses OneDrive endpoints exclusively, specifically to get new jobs and to upload victim information. A separate OneDrive directory is created for each specific victim. Since the instance of OneDrive employed by GraphWorm is running in the cloud, the backdoor can leverage the Microsoft Graph API endpoint /createUploadSession to upload large, staged files.
Amazon S3 Bucket
During our investigation of the 2025 campaigns, we discovered that Webworm had started using its custom proxy solution WormFrp to retrieve configurations from a compromised Amazon S3 bucket located at wamanharipethe.s3.ap-south-1.amazonaws[.]com. An Amazon S3 bucket is a public cloud storage solution available in Amazon Web Services, with S3 standing for Simple Storage Service. We believe that the compromised bucket is the publicly accessible — or even possibly policy-misconfigured — version of whpjewellers.s3.amazonaws[.]com.
Our initial review of the files stored in the bucket revealed several snapshots from virtual machine hosts, one of which contained the current configuration and active state of a machine belonging to a governmental entity in Italy. This could mean that the operators were able to successfully penetrate the environment responsible for managing the victim’s virtual machines. However, they could just as well have gained access to only a single host where snapshots were stored. Either way, it is apparent that through this S3 bucket, Webworm can exfiltrate data while an unsuspecting victim foots the bill for the service.
In late October 2025, the threat actors uploaded another file to the S3 bucket, an executable named SharpSecretsdump. This tool, as mentioned in its documentation, mimics the activity of the infamous secretsdump.py from Impacket to dump credentials from the affected Windows host it is deployed on. We assume that Webworm operators uploaded this tool to the S3 bucket for use against their victims.
Between December 2025 and January 2026, the operators uploaded 20 new files to the service, two of which had been exfiltrated from a governmental entity in Spain. The first of these two files, an XML file, contains the saved configurations of virtual hosts used by mRemoteNG, an open-source remote connection manager. The second file is a Microsoft Visio diagram detailing the infrastructure behind a domain used by this governmental entity.
GitHub Repository
While going over EchoCreep’s Discord C&C infrastructure, we managed to retrieve Discord’s unique identifiers relating to users, channels, and guilds. Unfortunately, with limited access to the bot’s token, there were no API calls that could be used to enumerate the information surrounding the owners of the server or the bot itself.
However, the Discord messages revealed the GitHub repository https://github[.]com/anjsdgasdf/WordPress, which acts as a file stager for other tools and malware used by Webworm (one such tool used the compromised Amazon S3 bucket mentioned above). As a direct fork of the legitimate WordPress repository, it could hide in plain sight. Figure 1 shows an overview of this repository, with staged files placed into the wp-admin directory.
Figure 1. Forked WordPress repository
Worming Its Way In
Even though we were unable to find the entry point that Webworm uses to compromise its victims, we have discovered that the group employs open-source utilities to scrape victim web server files and directories, and search for vulnerabilities within.
We found this after noticing that a victim machine was communicating with a proxy server hosted at 64.176.85[.]158. Review of the IP address showed that an open directory, which contained the aforementioned open-source utilities, had previously been hosted there on port 80. Figure 2 provides a top-level view into this open directory listing.
Figure 2. Open directory listing
The key directories relevant to this post are nuclei/, .dirsearch/, and the .bash_history file. As can be seen in Figure 3, Webworm operators were able to brute force directories and files within web servers by using dirsearch, a web path scanner utility with the capability of filtering specific status codes, and nuclei, an open-source vulnerability scanner, to identify any possible vulnerabilities against specific targets.
Figure 3. History of nuclei and dirsearch
The results of running dirsearch were stored in the .dirsearch/ directory on the operator server, and the bash history file contained reconnaissance commands used against more than 50 unique targets, providing a detailed record of the group’s scanning activity across its victim infrastructure.
