The global threat landscape surrounding China-aligned Advanced Persistent Threat (APT) groups continues to undergo sophisticated transformations, as highlighted by recent tactical shifts observed in campaigns executed by the Webworm threat actor. Historically characterized by localized targeting operations across Asia since its initial public documentation by Symantec in 2022, Webworm—which shares strong operational and tactical linkages with state-sponsored clusters like SixLittleMonkeys and FishMonger—has executed a highly calculated geopolitical pivot. Throughout intelligence windows extending into late 2025, security researchers recorded a systematic migration of Webworm’s focus away from Asian entities and toward European critical infrastructure, specifically compromising governmental organizations within Belgium, Italy, Serbia, and Poland, alongside an expanding operational footprint into South Africa that resulted in the compromise of a major local university. This geographic re-alignment heavily reflects an overhaul of the group’s foundational tactics, techniques, and procedures (TTPs). Webworm has completely abandoned its legacy payload architecture, which historically relied on signature-heavy remote access trojans (RATs) such as McRat (9002 RAT) and Trochilus. Instead, the group has transitioned toward customized proxy utilities and living-off-the-cloud backdoors meticulously structured to evade endpoint detection systems and blend imperceptibly with legitimate enterprise web communication traffic.

Initial Access Mechanics and Reconnaissance Frameworks

Webworm’s preliminary ingress methodologies involve heavy automated reconnaissance, public-facing directory brute-forcing, and vulnerability scanning leveraging centralized open-source utility servers. Network telemetry uncovered an operator-controlled proxy server hosting an open web directory on port 80 at the IP address 64.176.85[.]158, which served as a staging framework for their external scanning tools. Technical analysis of the server’s .bash_history file and log architecture revealed that Webworm extensively employs dirsearch, an advanced web path scanner, to conduct brute-force path enumeration across 56 unique target organizations located in Spain, Hungary, Belgium, Nigeria, Czechia, and Serbia. Concurrently, the operators integrate the nuclei vulnerability scanning framework to identify exposed entry flaws within target infrastructures. A key artifact recovered from the nuclei repository was a specialized LegalHackers shell script designated _1.sh, which functions as a verified proof-of-concept exploit for CVE-2017-7692. This security flaw facilitates post-authentication remote code execution (RCE) within the SquirrelMail webmail client interface. Bash histories confirmed the threat actor successfully deployed this specific exploit against a Serbian webmail target after harvest or compromise of active credentials, illustrating their highly methodical approach to perimeter exploitation and initial access establishment.

Inside the 2025 Toolkit: In-Depth Analysis of EchoCreep and GraphWorm

Upon gaining persistent access to a victim’s network perimeter, Webworm deploys dual custom-engineered backdoors that leverage legitimate commercial cloud APIs for Command and Control (C&C) operations. The first payload, known as EchoCreep, is a custom binary written in Go that abuses Discord’s API communication infrastructure to circumvent standard outbound firewall protections. EchoCreep handles its network communications using crafted HTTP requests routed through distinct Discord channels mapping directly to specific victims. The channel naming convention utilizes the victim’s external IP address or a combined string of the IP address and internal hostname, with analysts validating at least four unique victim channels across 433 decrypted operator messages. To neutralize network-layer packet analysis, incoming operator commands are base64 decoded and systematically decrypted via AES-CBC-128. EchoCreep implements highly specific native functional commands, including upload to exfiltrate targeted local files directly as attachments to Discord, download to fetch second-stage payloads into local directories from a given source URL, shell to execute strings within a native cmd.exe terminal environment, and sleep time modifiers .

Complementing EchoCreep is GraphWorm, a stealthy backdoor that guarantees immediate persistence by configuring its execution parameters to trigger whenever an infected user logs into the workstation. GraphWorm communicates with its C&C layer via the Microsoft Graph API, storing operational parameters inside an attacker-controlled Microsoft Graph cloud tenant. The backdoor utilizes Microsoft OneDrive endpoints exclusively to retrieve operational tasking and upload victim host intelligence. Upon initial execution, GraphWorm utilizes the Windows Management Instrumentation (WMI) framework to extract the victim’s local network adapter IP address, hardware processor ID, and the physical device serial number, concatenating these strings to generate a globally unique victim ID. This generated ID automatically creates or targets a matching folder within the attacker’s cloud OneDrive tenant. This structural folder is automatically segmented into three functional subdirectories: /files for exfiltration staging, /result to hold command log readouts, and /job to receive fresh job queues from the threat actors. Communication security is highly resilient, leveraging native OpenSSL EVP library calls to enforce AES-256-CBC encryption on all data strings before they undergo final base64 serialization for cloud transit.

Custom Proxy Chains, Multi-Host Obfuscation, and Staging Infrastructures

Beyond its backdoor implants, Webworm’s operational signature relies heavily on complex network proxy layers engineered to mask their origin and bypass security monitoring logs. The threat actors actively leverage legitimate SOCKS proxy utilities like SoftEther VPN alongside open-source networking payloads such as iox (intranet port forwarding and proxying) and frp (fast reverse proxy) to establish flexible pivot paths inside compromised infrastructure. To maximize operational stealth in 2025, Webworm supplemented these with four distinct custom-coded proxy variants: WormFrp, ChainWorm, SmuxProxy, and WormSocket. These custom proxy frameworks are capable of encrypting multi-layered data traffic and supporting intricate multi-host chaining topologies across internal and external network segments, utilizing external cloud infrastructure controlled through providers like Vultr and IT7 Networks.

For distribution and payload delivery, the group stages its malware binaries inside a deceptive GitHub repository located at https://github[.]com/anjsdgasdf/WordPress. Created as a direct fork of the legitimate open-source WordPress repository, it effectively evades reputation-based URL filtering while serving second-stage attack tools hidden inside the /wp-admin directory. Additionally, Webworm integrated compromised cloud-storage systems to facilitate data exfiltration, specifically utilizing an unauthenticated or misconfigured Amazon S3 bucket located at wamanharipethe.s3.ap-south-1.amazonaws[.]com (identified as a compromised iteration of whpjewellers.s3.amazonaws[.]com). The group leveraged their WormFrp proxy solution to store sensitive host virtual machine snapshots stolen from an Italian governmental body inside this bucket, alongside an executable payload designated SharpSecretsdump. This executable replicates Impacket’s secretsdump.py tool functionality to execute local credential dumping on targeted Windows endpoints. Between December 2025 and January 2026, the attackers exfiltrated 20 additional highly sensitive files into this S3 storage instance from a Spanish government entity. These files included XML configuration files containing saved virtual host authentication paths from the mRemoteNG application manager, alongside a highly detailed Microsoft Visio infrastructure diagram mapping out the entirety of the affected entity’s corporate network domain architecture.

Our Opinion on the Webworm Threat Landscape

The strategic evolution of the Webworm APT group represents a profound and alarming paradigm shift in modern state-sponsored cyber espionage. By aggressively pivoting away from signature-heavy, custom-compiled payloads like Trochilus and McRat and embracing ubiquitous public cloud services—such as Discord APIs, Microsoft Graph endpoints, and GitHub code repositories—Webworm has successfully weaponized the trust implicit in modern enterprise enterprise communications. Blending malicious command-and-control operations directly into everyday corporate SaaS workflows renders traditional perimeter detection models and standard signature-based endpoint detection and response (EDR) signatures largely ineffective. Enterprises cannot easily block these cloud providers without severely disrupting internal operations, which is exactly what the threat actors rely on.

Furthermore, their deployment of custom multi-host proxy utilities like WormFrp and ChainWorm, paired with the clever exploitation of misconfigured third-party assets like public Amazon S3 buckets, demonstrates a high level of mature infrastructure engineering. This reality reinforces that passive perimeter defense is obsolete. Security teams must adapt by adopting aggressive, behavior-centric network hunting programs, enforcing rigid Zero Trust architecture principles, establishing deep visibility over application API calls, and rigorously auditing corporate cloud storage exposure. Webworm’s calculated operations against European governmental organizations underscore a long-term, high-stakes collection campaign that demands an immediate, unified response from the global defensive community.