We presented these findings at #ESETWorld2026 in a talk titled: China-aligned Webworm targets EU countries, abuses Discord and government-hosted public apps. 7/8
The group also continues to employ various proxy utilities. In 2025, it added four custom-made ones to its arsenal: WormFrp, ChainWorm, SmuxProxy, and WormSocket. 6/8
While going over EchoCreep’s Discord messages, we uncovered a GitHub repository that was a direct fork of the legitimate WordPress repository. Webworm uses it as a file stager for its tools and malware. 5/8
On an operator server, we discovered a directory listing with open-source utilities used to scrape victim web server files and directories, and to search for vulnerabilities within. One directory contained reconnaissance commands used against more than 50 unique targets. 4/8
IoCs available in our GitHub repo: github.com/eset/malware... 8/8
The group seems to have stopped deploying the Trochilus and McRat backdoors; instead, it introduced new, custom-made backdoors: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose. 3/8
#ESETresearch analyzed 2025 activity of the China -aligned Webworm APT group, focusing on its evolving toolset and techniques. www.welivesecurity.com/en/eset-rese... 1/8
Webworm’s latest campaigns mark a shift in its targeting away from Asia toward Europe and Africa. In 2025, it attacked governmental entities in Belgium, Italy, Serbia, Spain and Poland, as well as a university in South Africa. 2/8
#ESETresearch released its latest APT Activity Report (Oct 2025–Mar 2026): 🇨🇳China-aligned groups focused on Venezuela, Gulf states, and AI & robotics industry in 🇰🇷South Korea, while 🇰🇵North Korea-aligned APTs targeted the nuclear sector. Full report: web-assets.esetstatic.com/wls/en/paper...