Webworm APT targets European government organizations with new backdoors
ESET has released an analysis of the 2025 activity of Webworm, a China-aligned APT group tracked as Space Pirates and UAT-8302. Active since at least 2022, the group initially focused on targets in Asia, but has recently expanded its operations into Europe.
ESET observed Webworm targeting government organizations in Belgium, Italy, Poland, Serbia, and Spain during 2025. The group also expanded its activity into South Africa, where researchers identified activity involving a local university.
Discord messages expose infrastructure and targets
By decrypting more than 400 Discord messages used for command-and-control (C&C) communication, ESET gained visibility into the group’s infrastructure and operations. The analysis revealed reconnaissance activity involving more than 50 unique targets.
“Through our analysis, we were fortunate enough to recover commands executed from a server that gave a view into the group’s potential initial access techniques, using an open-source vulnerability scanner as well as identifying some of its focused targets,” said Eric Howard, ESET researcher who investigated the campaign.
The recovered information led ESET to an attacker-operated GitHub repository used to host staged malware and supporting tools that could be downloaded onto victim systems.
The repository contained artifacts including the SoftEther VPN application. Researchers identified an IP address in a SoftEther configuration file that matched infrastructure previously linked to Webworm.
Forked WordPress repository (Source: ESET)
New backdoors
According to ESET, the group’s latest campaigns introduced two new backdoors: EchoCreep and GraphWorm.
EchoCreep uses Discord for C&C communication, allowing attackers to upload files, send runtime reports, and receive commands.
GraphWorm relies on Microsoft Graph API and OneDrive endpoints to retrieve tasks and upload victim information.
The group expanded its use of proxy tools. Existing proxy capabilities were supplemented with custom tools including WormFrp, ChainWorm, SmuxProxy, and WormSocket. Based on the number and complexity of these tools, ESET believes Webworm may be building a larger hidden network by using compromised systems as proxy infrastructure.
During the investigation, ESET discovered that Webworm had started using WormFrp to retrieve configurations from a compromised AWS S3 bucket.
“It is apparent that through this S3 bucket, Webworm can leverage data exfiltration while an unsuspecting victim foots the bill for the service,” Howard said.
Between December 2025 and January 2026, Webworm operators uploaded 20 new files to the service, two of which had been exfiltrated from a government organization in Spain.
ESET noted that Webworm continues to stage files on GitHub and expects the group to maintain that approach in future campaigns.