China-linked cyber espionage group Webworm has shifted its operational focus from Asia towards Europe, targeting government organisations while adding new backdoors, stealthier proxy tools and cloud-based command channels to its arsenal.The activity marks a notable broadening of a group first publicly identified in 2022, when its operations were largely associated with targets in Asia. Its 2025 campaigns show a clear move into European government networks, with activity observed against organisations in Belgium, Italy, Poland, Serbia and Spain. South Africa also appeared in the group’s target list after the compromise of a university.
Webworm’s evolution reflects a wider pattern among state-aligned cyber groups: replacing noisy malware with tools that blend into ordinary enterprise traffic. The group once relied on established remote access tools such as McRat, also known as 9002 RAT, and Trochilus. Its newer campaigns show a stronger preference for proxy utilities, virtual private network infrastructure, cloud storage and collaboration platforms that are widely used by legitimate organisations.
Two new backdoors, EchoCreep and GraphWorm, are central to the campaign. EchoCreep, written in Go, uses Discord for command-and-control communication, enabling operators to upload files, download payloads, execute shell commands and adjust sleep intervals. More than 400 decrypted Discord messages exposed operator activity, including evidence of command testing, file downloads and victim-specific channels.
GraphWorm uses Microsoft Graph API and OneDrive endpoints to receive commands and upload victim information. The malware creates unique folders for each compromised machine, using subdirectories for files, command results and operator jobs. Its capabilities include command execution, file transfer, persistence through registry changes and encrypted communication designed to obscure network activity.
The use of Discord and Microsoft cloud services underlines a challenge for defenders. Traffic to mainstream platforms may not immediately trigger alarms, particularly in government environments where cloud collaboration tools are part of daily work. Attackers can exploit this trust to hide command traffic inside permitted channels, raising the cost of detection for security teams.
Webworm’s infrastructure also relied on GitHub staging. A repository disguised as a fork of the WordPress project hosted malware and tools for direct download onto compromised systems. This tactic allows malicious files to appear within a familiar developer ecosystem, reducing suspicion and making takedown dependent on platform response.
The group’s proxy layer has also become more elaborate. Alongside open-source tools such as SoftEther VPN, iox and frp, Webworm deployed custom utilities including WormFrp, ChainWorm, SmuxProxy and WormSocket. These tools support encrypted communication, chained proxy connections and traffic forwarding across multiple hosts. The result is a hidden network that can move through compromised infrastructure while distancing operators from victim machines.
A compromised Amazon S3 bucket was used to retrieve configurations and may have supported data exfiltration. Files discovered there included virtual machine snapshots linked to a government entity in Italy, as well as material connected to a Spanish government organisation. Among the exposed items were saved remote-connection configurations and a Microsoft Visio diagram describing infrastructure behind a government domain.
The suspected entry methods point to web-facing assets. Operator directories contained evidence of open-source scanners such as dirsearch and nuclei, used to probe servers for files, directories and vulnerabilities. A proof-of-concept exploit for a SquirrelMail vulnerability was also present, with signs it may have been used against a Serbian webmail target after credentials had been obtained.
Webworm’s target geography suggests an interest in diplomatic, administrative and infrastructure-linked intelligence rather than financial gain. European government systems hold policy material, internal communications, credentials, network diagrams and access routes into wider institutional ecosystems. Such access can be valuable for long-term intelligence collection, influence mapping and preparation for future operations.
Attribution remains complex in cyber operations, but Webworm is assessed as China-aligned and has links to other groups tracked as SixLittleMonkeys and FishMonger. Its tooling and target choices place it within a broader pattern of espionage operations associated with Beijing’s strategic priorities. China has repeatedly rejected allegations that it sponsors cyber espionage, while accusing other governments of politicising cyber incidents.
The campaign also shows how advanced persistent threat groups are adapting to stronger endpoint detection. Instead of relying only on bespoke malware, operators increasingly use a blend of public cloud services, open-source utilities, legitimate remote access tools and custom implants. This approach can complicate incident response because some components appear benign when viewed in isolation.
Topics
Technology