Webworm: New burrowing methods

ESET researchers analyzed the 2025 exercise of Webworm, a China-aligned APT group that started off focusing on organizations in Asia, however has just lately shifted its focus to Europe. Regardless that that is our first public blogpost on the group, we have now been observing Webworm’s actions ever since Symantec first reported on this menace actor in 2022. Through the years, we have now seen that this menace actor frequently adjustments its techniques, methods, and procedures (TTPs).

Webworm is linked to different China-aligned APT teams reminiscent of SixLittleMonkeys and FishMonger. Prior to now, it made use of well-known malware households reminiscent of McRat (aka 9002 RAT) and Trochilus, although lately, it has began transferring towards each present and {custom} proxy instruments, that are extra stealthy than full-fledged backdoors. In 2025, Webworm additionally added two new backdoors to its toolset: EchoCreep, which makes use of Discord for C&C communication, and GraphWorm, which makes use of Microsoft Graph API for a similar function. The group can be recognized for staging its malware and instruments in GitHub repositories, making certain that malware will be instantly downloaded onto the sufferer’s machine.

Key factors of the blogpost:

• Since its discovery in 2022, the Webworm APT group has been actively updating its toolset and focusing on.
• In 2025, the group began using backdoors that use Discord and Microsoft Graph API for C&C communication.
• ESET researchers decrypted over 400 Discord messages and a bash historical past file found on an operator server with reconnaissance instructions used towards greater than 50 distinctive targets.
• Along with backdoors, Webworm leverages a number of present and {custom} proxy instruments.
• The group makes use of GitHub to stage its malware.

We attribute the 2025 marketing campaign to Webworm primarily based on the data we found after decrypting the Discord messages utilized by the EchoCreep backdoor for C&C communication. The data led us to the attackers’ GitHub repository, which contained staged artifacts such because the SoftEther VPN software. Contained in the SoftEther configuration file, we discovered an IP tackle that matches a recognized Webworm IP.

Victims who had been impacted by Webworm from international locations talked about later on this blogpost have been appropriately notified. As well as, companies we have now recognized, reminiscent of a GitHub repository and an S3 bucket, have been taken down.

Evolving method

In 2022, considered one of Webworm’s essential traits was using established backdoors and distant entry trojans (RATs) reminiscent of McRat and Trochilus. As described within the Symantec blogpost, the group initially focused primarily international locations in Asia.

In 2024, we noticed that the group began to maneuver away from conventional backdoors in favor of professional or semi-legitimate instruments, reminiscent of SOCKS proxies (SoftEther VPN) and different networking options. Whereas these assist Webworm evade detection, additionally they lack the complete set of instructions sometimes obtainable in backdoors, so the operators must depend on command interpreters reminiscent of cmd.exe or powershell.exe.

At the moment, we additionally noticed that the group began to decelerate operations in Asia and shift its focus towards European international locations. This development continued in 2025, with the assaults we noticed focusing on governmental organizations in Belgium, Italy, Serbia, and Poland. On the identical time, Webworm additionally made a foray into South Africa, compromising an area college.

In these newest campaigns, Webworm appears to have deserted Trochilus and McRat altogether, whereas persevering with to broaden its toolset. Chief among the many new instruments are two new backdoors: the Discord-based EchoCreep, and the Microsoft Graph-based GraphWorm. Whereas the group continued to make use of present proxy options, particularly the Go-written iox (port forwarding and intranet proxy software) and frp (quick reverse proxy), it additionally added {custom} proxy options WormFrp, ChainWorm, SmuxProxy, and WormSocket.

These {custom} proxy instruments usually are not solely able to encrypting communications, but in addition assist chaining throughout a number of hosts each internally and externally to a community. We imagine that the operators use these instruments at the side of SoftEther VPN to raised cowl their tracks and improve the stealth of their actions. All Webworm proxies and VPN companies are cloud servers that belong to community infrastructure managed by Vultr and IT7 Networks. Based mostly on the variety of proxy instruments and their complexities, Webworm could also be making a a lot bigger hidden community by tricking victims into operating its proxies.

Discord and Microsoft Graph API C&C communication

In 2025, Webworm began abusing Discord and Microsoft Graph API for C&C communication. Whereas analyzing the EchoCreep backdoor, we managed to uncover greater than 400 Discord messages. We additionally discovered 4 distinctive channels, every comparable to a distinct sufferer. EchoCreep makes use of Discord to add recordsdata, ship runtime stories, and obtain instructions. The backdoor’s community communication passes by Discord APIs utilizing crafted HTTP requests.

Within the case of GraphWorm, which makes use of Microsoft Graph API for C&C communication, we found that it makes use of OneDrive endpoints completely, particularly to get new jobs and to add sufferer data. A separate OneDrive listing is created for every particular sufferer. For the reason that occasion of OneDrive employed by GraphWorm is operating within the cloud, the backdoor can leverage the Microsoft Graph API endpoint /createUploadSession to add massive, staged recordsdata.

Amazon S3 bucket

Throughout our investigation of the 2025 campaigns, we found that Webworm had began utilizing its {custom} proxy answer WormFrp to retrieve configurations from a compromised Amazon S3 bucket positioned at wamanharipethe.s3.ap-south-1.‌amazonaws[.]com. An Amazon S3 bucket is a public cloud storage answer obtainable in Amazon Net Companies, with the S3 standing for easy storage service. We imagine that the compromised bucket is the publicly accessible – and even, presumably coverage misconfigured – model of whpjewellers.s3.amazonaws[.]com.

Our preliminary evaluation of the recordsdata saved within the bucket revealed a number of snapshots from digital machine hosts, considered one of which contained the present configuration and energetic state of a machine belonging to a governmental entity in Italy. This might imply that the operators had been capable of efficiently penetrate the surroundings chargeable for managing the sufferer’s digital machines. Nonetheless, they might simply as effectively have gained entry to solely a single host the place snapshots had been saved. Both manner, it’s obvious that by this S3 bucket, Webworm can exfiltrate knowledge whereas an unsuspecting sufferer foots the invoice for the service.

In late October 2025, the menace actors uploaded one other file to the S3 bucket, an executable named SharpSecretsdump. This software, as talked about in its documentation, mimics the exercise of the notorious secretsdump.py from Impacket to dump credentials from the affected Home windows host it’s deployed on. We assume that Webworm operators uploaded this software to the S3 bucket to be used towards their victims.

Between December 2025 and January 2026, the operators uploaded 20 new recordsdata to the service, two of which had been exfiltrated from a governmental entity in Spain. The primary of those two recordsdata, an XML file, incorporates the saved configurations of digital hosts utilized by mRemoteNG, an open-source distant connection supervisor. The second file is a Microsoft Visio diagram detailing the infrastructure behind a site utilized by this governmental entity.

GitHub repository

Whereas going over EchoCreep’s Discord C&C infrastructure, we managed to retrieve Discord’s distinctive identifiers referring to customers, channels, and guilds. Sadly, with restricted entry of the bot’s token, there have been no API calls that may very well be used to enumerate the data surrounding the homeowners of the server or the bot itself.

Nonetheless, the Discord messages revealed the GitHub repository https://github[.]com/anjsdgasdf/WordPress, which acts as a file stager for different instruments and malware utilized by Webworm (one such software used the compromised Amazon S3 bucket talked about above). As a direct fork of the professional WordPress repository, it may conceal in plain sight. Determine 1 reveals an outline of this repository, with staged recordsdata positioned into the wp-admin listing.

Worming its manner in

Regardless that we had been unable to search out the entry level that Webworm makes use of to compromise its victims, we have now found that the group employs open-source utilities to scrape sufferer net server recordsdata and directories, and seek for vulnerabilities inside.

We discovered this after noticing {that a} sufferer machine was speaking with a proxy server hosted at 64.176.85[.]158. Assessment of the IP tackle confirmed that an open listing, which contained the aforementioned open-source utilities, had beforehand been hosted there on port 80. Determine 2 supplies a top-level view into this open listing itemizing.

The important thing directories related to our blogpost are nuclei/, .dirsearch/, and the .bash historical past file. As will be seen in Determine 3, Webworm operators had been capable of brute drive directories and recordsdata inside net servers through the use of dirsearch, an internet path scanner utility with the potential of filtering particular standing codes, and nuclei, an open-source vulnerability scanner, to establish any attainable vulnerabilities towards particular targets.

The outcomes of operating dirsearch had been saved within the .dirsearch listing, which revealed that the software had been executed towards 56 targets from a wide range of international locations reminiscent of Spain, Hungary, Belgium, Nigeria, Czechia, and Serbia.

Within the nuclei listing, we discovered the LegalHackers script, named _1.sh. It’s a proof-of-concept exploit of CVE-2017-7692, a vulnerability permitting post-authentication distant code execution throughout the webmail consumer SquirrelMail. Trying within the .bash_history listing, we found {that a} equally named script had been executed towards a Serbian webmail goal. This results in the belief that the group obtained the Serbian sufferer’s credentials and should have been utilizing this vulnerability as a part of preliminary entry.

Toolset

On this blogpost, we glance intimately on the new additions to Webworm’s arsenal. First, at its two {custom} backdoors: EchoCreep and GraphWorm. Then, on the {custom} proxy options that the group deployed in its 2025 campaigns: WormFrp, ChainWorm, SmuxProxy, and WormSocket.

EchoCreep

EchoCreep is a brand new backdoor, written in Go, that makes use of Discord as a C&C server, with messages starting as early as March 21^st, 2024. It’s able to executing the instructions proven in Desk 1.

Desk 1. EchoCreep instructions

Whereas we had been unable to substantiate how the backdoor made its manner onto the sufferer machine, it seems that persistence was solely obtained post-compromise by way of C&C instructions.

All of EchoCreep’s community communication is handed by Discord API endpoints utilizing crafted HTTP requests. To parse instructions, the backdoor first must decode them utilizing base64, after which decipher them utilizing AES-CBC-128. Determine 4 reveals an instance of a command and a reply after each have been decrypted.

{"guild": "lol", "channel_id": 1220298277849796651, "channel": "hearth", "content material": "shell whoami", "time": "2025-04-14T08:35:41.751000+00:00", "author_id": 1219910976007045171, "writer": "jonson889912"}

Determine 4. EchoCreep command and reply

From all 433 Discord messages we decrypted, it was not evident precisely who was impacted since they don’t seem to be ESET prospects. Nonetheless, we had been not less than capable of decide the variety of victims compromised by EchoCreep primarily based on channel names. We found that these names had been both the sufferer’s IP tackle, or a mix of the IP tackle and the sufferer machine’s hostname. Having discovered 4 distinctive channels utilizing this naming conference, we imagine that there are 4 victims.

Upon EchoCreep’s first execution, it doesn’t try and create a brand new channel, however sends a message saying Up Success to a channel that already exists (see Determine 5 and Determine 6). This means that the channels had been created previous to the execution of the backdoor, suggesting that the operators both knew the targets or exfiltrated the required data following preliminary entry.

The earliest messages, despatched from March 21^st, 2024 to March 31^st, 2025, seem to have been operator check instructions. Determine 7 reveals that the menace actors left some details about their native IP configurations in there.

Ethernet adapter Ethernet0:
   Connection-specific DNS Suffix  . : lan
   Hyperlink-local IPv6 Handle . . . . . : fe80::2111:d79b:b1ba:1f4apercent10
   IPv4 Handle. . . . . . . . . . . : 192.168.8.174
   Subnet Masks . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.8.1

Determine 7. Home windows ipconfig output

Lots of the different earlier messages contained rubbish values, presumably used as a check to establish correct communication, as seen in Determine 8.

Quickly afterwards, we started to see obtain operations happen like these in Determine 9, exhibiting the event of superior instructions.

As well as, in Determine 10, we see testing actions that will have been early variations of the persistence mechanism that Webworm would use later towards victims. What’s additionally attention-grabbing is that it executes the run command as a substitute of the ultimately used shell command, supporting our willpower that these had been early checks.

The very first compromise came about on April 9^th, 2025, when new Up Success messages appeared within the logs related to a brand new channel title. Shortly after the preliminary compromise, the menace actor used shell instructions to execute curl to obtain recordsdata.

GraphWorm

GraphWorm is one other new backdoor wielded by Webworm. It executes itself at any time when the sufferer logs in to the machine. GraphWorm makes use of the Microsoft Graph API for C&C communication, exhibiting that Webworm has new infrastructure in place to compromise victims, storing data inside a Microsoft Graph tenant. Based mostly on what we’ve seen, the backdoor completely makes use of OneDrive to obtain instructions and ship sufferer knowledge. The information concerned in these communications is first AES-256-CBC encrypted utilizing OpenSSL EVP library calls, after which base64 encoded. GraphWorm additionally permits for proxy settings to be configured, thus tunneling any visitors by the required proxy.

On first execution, the backdoor creates a singular sufferer ID by concatenating the community adapter IP, processor ID, and the serial variety of a bodily machine utilizing the WMI framework.

The distinctive ID is used within the course of to rename or create a brand new OneDrive folder throughout the tenant. Every folder is exclusive to a compromise, containing particular subfolders below every sufferer. The three subfolders /recordsdata, /end result, and /job are used to retailer recordsdata, outcomes of instructions executed on the sufferer machine, and jobs queued by the operators to execute, respectively.

After the folder has been created efficiently, the backdoor collects details about the sufferer machine, ensuing within the JSON object seen in Determine 11.

Common Consumer>",
    "Time Zone": "<UTC-XXXX>",
    "Consumer Identify": "<username>",
    "Workgroup": "<workgroup",
    "publicKey": "<key>"

Determine 11. Configuration construction

The instructions that GraphWorm receives by OneDrive are described in Desk 2, so as of discovery.

Desk 2. GraphWorm instructions

Throughout our analysis, we seen that upon completion of the shell command, the outcomes had been written to a file beacon_shell_output.txt and saved in a brief listing. To add these massive shell command outputs, the operators most probably leveraged the Microsoft Graph API endpoint /createUploadSession, because the backdoor offers with a cloud occasion of OneDrive.

WormFrp

WormFrp is a proxy tunneling software impressed by the prevailing quick reverse proxy (frp) utility that Webworm additionally makes use of. The menace actors expanded frp with {custom} functionalities in order that the software can get hold of its configuration values from a compromised Amazon S3 bucket, wamanharipethe.s3.ap-south-1.amazonaws[.]com.

The compromised S3 bucket incorporates a number of recordsdata with .txt extensions which might be AES encrypted utilizing ECB mode. Every WormFrp occasion is hardcoded with a singular AES key and retrieves a singular file from the S3 bucket. The configuration file is up to date throughout WormFrp execution to ship data again to the operator to establish the place the tunnel connects from.

WormFrp requires a command line argument to run. After acquiring its configuration from the S3 bucket, WormFrp makes an attempt to log into an frp server, opening a reverse proxy and TCP SOCKS5 proxy. Based mostly on noticed samples, the username and password are all the time randomly generated.

Every occasion of WormFrp connects to an frp server by a public IP tackle. Further community exercise could also be seen from the sufferer’s machine as soon as the reverse proxy is configured.

ChainWorm

ChainWorm is one other {custom} proxy software utilized by Webworm operators. It seems that ChainWorm’s essential operate is to help in increasing Webworm’s community infrastructure of proxies by opening a port on the machine on which it’s deployed. Webworm can use this software to chain proxies the place particularly crafted knowledge is distributed by the port connecting to a different distant system, forwarding the visitors to the following vacation spot for an indeterminate variety of hops.

Usually, the port that’s opened on the impacted host is hardcoded within the software. TCP connections are then opened on the hardcoded port to obtain any transmissions that might result in extra outbound connections of both a direct IP tackle or hostname together with its port.

Utilizing the mix of the hostname and port, a connection is made to the following hop within the chain. With connections established between supply and vacation spot, any knowledge handed by is now forwarded to the following upstream hop within the chain. If at any level there may be an exception, the supply is notified with the 0x05 01 00 01 00 00 00 00 00 00 byte sequence earlier than making an attempt to reconnect.

SmuxProxy

SmuxProxy is a utility primarily based on iox, a port forwarding and intranet proxy software. On prime of the prevailing iox performance, SmuxProxy incorporates small customizations to permit for a hardcoded server IP tackle and port, making it simpler for operators to drop and execute. It will possibly additionally generate a random key and initialization vector for encrypted communications.

WormSocket

The final of Webworm’s new {custom} proxies is WormSocket, a software that makes use of configured servers operating socket.io to ascertain a proxy for net requests. WormSocket permits for a extremely configurable and scalable proxy community, permitting particular nodes to be interacted with at any given time.

Its configuration depends on each hardcoded values and command line arguments. WormSocket accepts an elective command line argument –proxy adopted by a URI containing fundamental authentication, used as a configuration to create a WebProxy object. The proxy is then used on prime of a connection to an internet socket. Configurations for this net socket are hardcoded in WormSocket.

As soon as WormSocket has began, it first connects to the configured IP tackle and port by making an attempt connections utilizing ws, wss, http, and https schemes. As soon as a profitable connection is made, an asynchronous job is spawned to obtain and ship new messages. There are 4 attainable message sorts, described intimately in Desk 3.

Conclusion

Webworm is a China-aligned APT group energetic since not less than 2022. It employs a continually evolving toolkit comprising primarily backdoors and a mix of open-source and {custom} proxy utilities. Within the 2025 campaigns we noticed, Webworm started utilizing Discord-based (EchoCreep) and Microsoft Graph API-based (GraphWorm) backdoors. The group additionally continues to stage recordsdata in GitHub repositories, and we are able to solely assume that it’s going to maintain doing so sooner or later.

By our evaluation, we had been lucky sufficient to get well instructions executed from a server that gave a view into the group’s potential preliminary entry methods, utilizing an open-source vulnerability scanner, in addition to figuring out a few of its targets.

It’s clear that Webworm is a really energetic APT group that may proceed trying to make use of new instruments to compromise its victims, whether or not this be from an preliminary entry level, or submit compromise.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis affords personal APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

A complete checklist of indicators of compromise (IoCs) and samples will be present in our GitHub repository.

Information

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.