Safeguarding governmental and academic networks requires continuous adaptation as unauthorized parties evolve their methodologies to evade detection. Recent research published by security vendor ESET details new activity from Webworm, a China-aligned advanced persistent threat (APT) group first identified in 2022. While the group historically focused on organizations in Asia, ESET researcher Eric Howard notes that Webworm has shifted its attention to governmental organizations across Europe, including Belgium, Italy, Serbia, Spain, and Poland, as well as a university in South Africa.
The analysis, which covers Webworm’s activities between early 2024 and early 2025, shows a distinct transition in the group's tactics, techniques, and procedures (TTPs). Originally, Webworm relied on established unauthorized tools such as McRat and Trochilus. Because these tools generate known signatures, artifacts, and network traffic patterns, they are relatively straightforward for defenders to detect.
To improve stealth, Webworm transitioned in 2024 toward proxy-based network tunneling tools. These include semi-legitimate solutions like SOCKS proxies and SoftEther VPN, which function as middlemen between the threat actor and the affected organization. In 2025, the group abandoned Trochilus and McRat entirely, adopting two new custom backdoors that leverage legitimate cloud services for command and control (C2):
EchoCreep: Uses the Discord chat application to upload files, send runtime reports, and receive commands. It passes network communications through the Discord API using crafted HTTP requests. Webworm sets up a different Discord server for each affected organization.
GraphWorm: Relies on the Microsoft Graph API, utilizing OneDrive endpoints to receive new instructions and upload data. Similar to EchoCreep, GraphWorm uses a distinct OneDrive directory for each affected organization.
The shift toward unconventional C2 mechanisms aligns with broader trends in unauthorized access, where groups increasingly abuse legitimate platforms—ranging from Google Calendar to the Solana blockchain—to blend in with normal administrative traffic.
ESET identified Webworm’s recent infrastructure by decrypting over 400 Discord messages used by EchoCreep. This decryption uncovered a GitHub repository used to stage files, allowing the group to easily download tools directly onto the affected machine. Within the repository’s files, researchers found a SoftEther VPN configuration containing an IP address previously associated with Webworm.
Beyond Discord and Microsoft Graph, Webworm employs a complex internal network to encrypt communications and chain connections across multiple hosts. This infrastructure relies on cloud servers hosted by Vultr and IT7 Networks. The group utilizes the port-forwarding tool iox, alongside custom proxies named ChainWorm, SmuxProxy, WormFrp, and WormSocket. Researchers also observed the group using WormFrp to retrieve configurations from a compromised Amazon S3 bucket.
While the precise initial access vector remains unconfirmed, Howard indicates that Webworm routinely uses open-source vulnerability scanners to evaluate web server files and directories for misconfigurations. This suggests the group identifies vulnerabilities within an environment and deploys its backdoors post-compromise, establishing access to conduct long-term espionage.
To protect environments from these techniques and limit the risk of unauthorized access, organizations can take the following evidence-based steps:
Prioritize vulnerability management: Because vulnerability discovery is a primary entry method for this group, organizations should maintain rigorous patching schedules and proactively limit the public exposure of internal assets.
Monitor non-standard communications: Security teams should review network activity for unusual processes or applications communicating with Discord, Microsoft Graph, or Amazon S3 endpoints.
Audit data transfers: Evaluate any data transfers directed to these cloud services, particularly when such connections fall outside of the organization's standard operational workflows.
By systematically reviewing these communication channels and maintaining strict perimeter security, organizations can effectively disrupt the stealth mechanisms Webworm relies on.