China-Linked Webworm APT Evolves Tactics, Expands to European Targets

ESET researchers observed the China-aligned APT Webworm broaden its operations in 2025 to target European government organizations and a South African university, deploying new backdoors (Discord-based EchoCreep and Microsoft Graph-based GraphWorm), leveraging proxy toolsets (WormFrp, ChainWorm, SmuxProxy, WormSocket) for C2 and network extension, and exploiting an identified SquirrelMail vulnerability for initial access while using cloud endpoints (OneDrive, AWS S3) for job retrieval and data exfiltration.