Webworm, a China-backed persistent threat actor, has shifted its targeting from Asia to European governmental organizations and is using stealthier command-and-control methods like Discord, Microsoft Graph, and custom proxy tools. ESET says the group has evolved its tradecraft in 2024–2025, replacing older malware such as McRat and Trochilus with backdoors like EchoCreep and GraphWorm while continuing to probe for vulnerabilities and hidden access points. #Webworm #EchoCreep #GraphWorm #McRat #Trochilus #SoftEtherVPN #Vultr #IT7Networks #WormFrp #ChainWorm #SmuxProxy #WormSocket
Keypoints
- Webworm is now targeting European government organizations.
- The group has shifted from Asia-focused operations to Europe and South Africa.
- It moved away from McRat and Trochilus toward proxy tools and custom backdoors.
- EchoCreep uses Discord for command and control, while GraphWorm uses Microsoft Graph and OneDrive.
- Organizations should patch systems, limit exposure, and monitor unusual traffic to Discord, Microsoft Graph, and S3.
Read More: https://www.darkreading.com/endpoint-security/chinas-webworm-discord-microsoft-graphs