Webworm APT Group’s Evolving Techniques in 2025
TL;DR
ESET researchers detail the ongoing activities of the China-aligned APT group Webworm, which has shifted focus from Asian targets to Europe in 2025. The group has adopted new tactics, including the use of Discord and Microsoft Graph API for command-and-control communications.
Main Analysis
Webworm, actively monitored by ESET researchers, has evolved significantly since its discovery in 2022. Initially targeting organizations in Asia, the group has now set its sights on Europe, compromising governmental organizations in countries such as Belgium, Italy, and Poland, as well as institutions in South Africa. This change reflects their adaptability and desire to pursue new victims in different geographic regions.
In the latest campaigns, Webworm has introduced two new backdoors, EchoCreep and GraphWorm, which enable command-and-control operations via unconventional channels such as Discord and Microsoft Graph API. For instance, EchoCreep leverages Discord to send commands and upload files, with ESET decrypting over 400 messages that detail the group’s operations and targeted victims. GraphWorm, on the other hand, operates exclusively through OneDrive, allowing for secure data uploads and job executions within Microsoft’s cloud infrastructure. This method is particularly noteworthy, as it facilitates exfiltration while leveraging legitimate services to obscure their activities.
The group continues to rely on custom and open-source proxy tools to enhance its stealth, notably transitioning from traditional remote access tools such as McRat to lightweight proxy utilities. Their proxy solutions, including WormFrp and SmuxProxy, provide capabilities such as encrypted communications and multi-hop routing, effectively creating larger covert networks. The staging of malicious tools in publicly accessible repositories, such as GitHub, further illustrates their audacious approach to operational security and delivery method.
Defensive Context
Organizations, especially governmental and educational entities within Europe and Southern Africa, should be aware of Webworm’s evolving tactics and operational methods. The group’s inclination to use widely accepted services for their command-and-control communications poses unique challenges for detection. Targets using Discord and Microsoft Graph API could particularly be at risk, especially if these platforms are integrated into their workflows.
Potential victims realistically exposed include sectors dealing with sensitive data or governmental operations that utilize cloud services like OneDrive. Conversely, organizations that do not rely heavily on these services might find themselves less vulnerable to this specific threat.
Why This Matters
Webworm’s shift toward stealthier tools and cloud-based communication reflects a strategic pivot in the APT landscape, warranting increased vigilance from organizations likely to be targeted. As the group continues to refine its methods, understanding their tactics will be crucial for anticipating future activities and implementing appropriate defenses.
Indicators of Compromise (IOCs)
- Backdoors:
- EchoCreep (based on SHA-1: CB4E5043333670738142…F59C3CBE8D497D98)
- GraphWorm (based on SHA-1: 77F1970D620216C5FFF4E14A…)
- Compromised Amazon S3 Bucket:
wamanharipethe.s3.ap-south-1.amazonaws.com - IP Addresses of Interest:
- 64.176.85[.]158 – SmuxProxy server
- 45.77.13[.]67 – WormSocket web socket server
- 104.243.23[.]43 – WormFrp proxy server
