Webworm APT targets European government organizations with new backdoors

ESET reports that Webworm (Space Pirates/UAT-8302) expanded operations in 2025, targeting government entities in multiple European countries and a South African university. Researchers decrypted Discord C2 messages exposing infrastructure and reconnaissance against 50+ targets, found a GitHub repository and SoftEther configuration linking attacker infrastructure, and observed new backdoors (EchoCreep using Discord C2 and GraphWorm using Microsoft Graph/OneDrive), plus custom proxy tooling and exfiltration of files to an AWS S3 bucket and GitHub staging.