Webworm APT Expands Operations to Europe with New Backdoors

The report details Webworm, a China-aligned APT that expanded operations into Europe in 2025, targeting government organizations in Belgium, Italy, Poland, Serbia, and Spain (and a university in South Africa), deploying new backdoors EchoCreep (Discord-based) and GraphWorm (Microsoft Graph API-based) alongside modified RATs and proxy tools, staging malware in GitHub and using cloud services for exfiltration; it includes IOCs, decrypted Discord messages evidencing activity, and prioritized mitigation recommendations.