A China-backed persistent threat actor known as Webworm is targeting governmental organizations across Europe, and it’s using unusual command-and-control mechanisms to do so.
Security vendor ESET this week published research detailing recent activity surrounding Webworm, a China-aligned APT group first reported on in 2022. Although the group initially began targeting organizations in Asia, ESET’s Eric Howard wrote that the threat actor has shifted its focus to Europe, including governmental organizations in Belgium, Italy, Serbia, Spain, and Poland. Additional additional activity in South Africa has also been detected.
The research predominantly covers Webworm’s activities between early 2024 and early 2025, as well as how its tactics, techniques, and procedures (TTPs) have evolved since 2022. The threat actor originally relied on well-known malware families like McRat and Trochilus, though it has more recently pivoted toward existing and custom proxy tools. In these cases, which were mainly observed in 2024, Webworm relied on “legitimate or semi-legitimate tools, such as SOCKS proxies (SoftEther VPN) and other networking solutions.”
The downside to a lot of conventional, well-known malware is that it generally has signatures, artifacts, and traffic patterns that are easy for defenders to detect. But proxy tools are network tunneling tools that act as a middleman between victim and attacker. These are often more manual and require the attacker to bring their own tooling and are generally much stealthier than the typical backdoor.
In 2025, however, Webworm introduced two new backdoors to its repertoire. One is EchoCreep, which uses the popular chat application Discord to facilitate command and control (C2). The other is GraphWorm, which relies on the Microsoft Graph API for C2. ESET also observed Webworm staging malware and tools in GitHub repositories so the attackers can easily download malware onto the victim’s machine.
Webworm’s Discord and Microsoft Graph C2
Webworm continues the trend of threat actors using novel approaches to facilitate C2. Creative C2 approaches seen over the last year or two include Google Calendar and the Solana blockchain.
ESET made its attribution based on its work decrypting Discord messages used by EchoCreep for C2, which ultimately led to a GitHub repository and the discovery of an IP address that matches a “known Webworm IP,” Howard wrote.
The research mainly covers Webworm’s 2025 activities, when it apparently abandoned Trochilus and McRat in favor of the new backdoors. The Chinese APT continues to use proxy solutions for encrypting communications as well as to support chaining between hosts internally and externally to a network. These proxy solutions include port forwarding and proxy tool iox as well as custom tools ChainWorm, SmuxProxy, WormFrp, and WormSocket.
“We believe that the operators use these tools in conjunction with SoftEther VPN to better cover their tracks and increase the stealth of their activities,” the blog post read. “All Webworm proxies and VPN services are cloud servers that belong to network infrastructure controlled by Vultr and IT7 Networks. Based on the number of proxy tools and their complexities, Webworm may be creating a much larger hidden network by tricking victims into running its proxies.”
As for the new backdoors, ESET found based on analyzing 400 Discord messages that EchoCreep uses the chat service to upload files, send runtime reports, and receive commands. Webworm also uses crafted HTTP requests to pass network communications through Discord’s API. For GraphWorm, the threat actor relies on OneDrive endpoints to get new jobs and upload victim information.
Different Discord servers are used for each EchoCreep victim, and similarly a different OneDrive directory for each GraphWorm victim.
Separately, the blog post noted that the threat actor “had started using its custom proxy solution WormFrp to retrieve configurations from a compromised Amazon S3 bucket,” further showing Webworm’s continuous commitment to evolving its techniques.
How Organizations Can Get in Front of Webworm
The initial access vector (as well as much of the attack chain) remains unclear, though Howard noted Webworm uses open source vulnerability scanners to scrape web server files and directories for bugs in a target’s network. This means that Webworm possibly targeted victims through vulnerabilities in their environment and deployed the backdoors post-compromise.
ESET’s blog post contains indicators of compromise.
In an email, Howard tells Dark Reading that although he can’t speak to what China is looking for from Europe or these victim environments, Webworm appears to be searching for pivot points or points of initial access to burrow “as far in as possible for the purposes of performing espionage.”
As for what European organizations can do, the ESET researcher makes two suggestions. One, as vulnerability discovery appears to be a key focus for Webworm, orgs should keep systems patched and limit the exposure of assets. Two, they should review communication activities from non-standard processes and applications to endpoints like Discord, Microsoft Graph, or S3.
“Organizations should also be cognizant of data transfers to the same endpoints,” he says, “especially when considering if it’s not a part of the standard workflow.”
