• ESET Research uncovered and analyzed the latest activities and arsenal of China-aligned Webworm advanced persistent threat (APT) group.
• In 2025, the group started employing backdoors that use Discord and Microsoft Graph API for Command and Control (C&C) communication. ESET researchers decrypted over 400 Discord messages.
• Chief among their latest tools are two new backdoors: the Discord-based EchoCreep and the Microsoft Graph-based GraphWorm.
• Recently, Webworm shifted focus to target governmental organizations in Europe and made advances in South Africa.

BRATISLAVA, MONTREAL — May 21, 2026 —  ESET researchers analyzed the 2025 activity of Webworm, a China-aligned APT group that started out targeting organizations in Asia but has recently shifted its focus to Europe. ESET observed Webworm targeting government organizations in Belgium, Italy, Poland, Serbia, and Spain. At the same time, Webworm also made a foray into South Africa, compromising a local university. Since last year, the group has been employing backdoors that use Discord and Microsoft Graph API for C&C communication. ESET researchers decrypted over 400 Discord messages and discovered an attacker operated server used for reconnaissance against more than 50 unique targets.

“Through our analysis, we were fortunate enough to recover commands executed from a server that gave a view into the group’s potential initial access techniques, using an open-source vulnerability scanner as well as identifying some of its focused targets,” explains ESET researcher Eric Howard, who uncovered Webworm’s latest activity.

ESET attributes the 2025 campaign to Webworm based on information we discovered after decrypting the Discord messages used by the EchoCreep backdoor for C&C communication. The information led researchers to the attackers’ GitHub repository, which contained staged artifacts such as the SoftEther VPN application. Inside the SoftEther configuration file, we found an IP address that matches a known Webworm IP.

Chief among their latest tools are two new backdoors: the Discord-based EchoCreep and the Microsoft Graph-based GraphWorm. While the threat actors continued to use existing proxy solutions, they have also added custom proxy solutions in WormFrp, ChainWorm, SmuxProxy, and WormSocket. Based on the number of proxy tools and their complexities, Webworm may be creating a much larger hidden network by tricking victims into running its proxies.

Additionally, Webworm started abusing Discord and Microsoft Graph API as C&Cs. The EchoCreep backdoor uses Discord to upload files, send runtime reports, and receive commands. GraphWorm uses Microsoft Graph API for C&C communication; ESET researchers discovered that it uses OneDrive endpoints exclusively, specifically to get new jobs and to upload victim information.

“Furthermore, during our investigation of the 2025 campaigns, we discovered that Webworm had started using its custom proxy solution WormFrp to retrieve configurations from a compromised AWS S3 bucket, a public cloud storage solution available in Amazon Web Services, with the S3 standing for simple storage service. It is apparent that through this S3 bucket, Webworm can leverage data exfiltration while an unsuspecting victim foots the bill for the service,” says Howard. Between December 2025 and January 2026, the operators uploaded 20 new files to the service, two of which had been exfiltrated from a governmental entity in Spain. 

The group also continues to stage files at GitHub, and ESET assumes that they will keep doing so in the future.

For more technical details about Webworm’s newest activities and arsenal, check out the latest ESET Research blogpost “Webworm: New burrowing techniques,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown—securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.