Full Report
ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal
Analysis Summary
# Threat Actor: Webworm
## Attribution & Identity
* **Identification:** Webworm is a China-aligned Advanced Persistent Threat (APT) group.
* **Aliases/Associated Groups:**
* Linked to **SixLittleMonkeys** (associated with Mikroceen).
* Linked to **FishMonger** (associated with Operation Fishmedley).
* **Attribution Basis:** ESET researchers linked 2025 campaigns to Webworm via decrypted C2 messages that led to a GitHub repository containing a SoftEther VPN configuration file pointing to a known Webworm IP address.
## Activity Summary
Webworm has been active since at least 2022. While originally focused on Asian targets using traditional Remote Access Trojans (RATs), the group significantly evolved in 2024–2025. Recent operations show a pivot toward European government targets and a technical shift toward "living-off-the-land" proxy tools and cloud-based C2 mechanisms (Discord and Microsoft Graph API) to increase stealth and bypass traditional perimeter defenses.
## Tactics, Techniques & Procedures
The actor has moved away from full-featured backdoors in favor of modular proxy tools and legitimate web services for command and control.
* **Execution:** Use of `cmd.exe` and `powershell.exe` for manual command execution [T1059].
* **Persistence/Staging:** Staging malware/artifacts on GitHub and compromised AWS S3 buckets [T1584.004, T1608.002].
* **Command & Control:**
* **EchoCreep:** Uses Discord for C2 communication [T1102.002].
* **GraphWorm:** Uses Microsoft Graph API/OneDrive for C2 and data staging [T1102.002, T1567.002].
* **Protocol Tunneling:** Extensive use of SOCKS proxies and multi-hop chaining to obfuscate traffic [T1090.003].
* **Defense Evasion:** Use of legitimate tools (SoftEther VPN) and custom encrypted proxies to blend with normal network traffic.
* **Data Collection:** Local data staging before exfiltration [T1074.001].
## Targeting
* **Sectors:** Governmental organizations, Higher Education (Universities).
* **Geography:**
* **Primary (Recent):** Europe (Belgium, Italy, Serbia, and Poland).
* **Secondary:** South Africa.
* **Historical:** Asia.
* **Victims:** Specifically noted include a university in South Africa and various European government entities.
## Tools & Infrastructure
* **New Backdoors (2025):** EchoCreep (Discord-based), GraphWorm (Microsoft Graph API-based).
* **Legacy Malware:** McRat (9002 RAT), Trochilus (mostly abandoned in 2025).
* **Proxy & Networking Tools:**
* *Legitimate/Existing:* SoftEther VPN, `iox`, `frp` (Go-based reverse proxy).
* *Custom:* WormFrp, ChainWorm, SmuxProxy, WormSocket.
* **Infrastructure:**
* **Cloud Providers:** Vultr, IT7 Networks.
* **Services:** Discord, Microsoft OneDrive, GitHub, AWS S3.
* **Sample IP (Defanged):** Identified via SoftEther configuration (unspecified in snippet but associated with actor's historical footpint).
## Implications
Webworm represents a highly adaptive threat actor that is successfully maturing its TTPs. By shifting from bespoke RATs to custom proxies and legitimate cloud services (Discord/Graph API), the group minimizes its file-based signature footprint. Their expansion into Europe and South Africa indicates a broadening of strategic intelligence requirements beyond their traditional regional focus in Asia.
## Mitigations
* **Egress Filtering:** Restrict access to known code repositories (GitHub) and cloud storage/messaging platforms (Discord) from sensitive production servers unless strictly required.
* **API Monitoring:** Implement logging and monitoring for Microsoft Graph API calls, looking for unusual patterns of data being uploaded to personal OneDrive accounts.
* **Proxy Detection:** Monitor for unauthorized use of networking tools like SoftEther, `iox`, and `frp` within the internal environment.
* **Behavioral Auditing:** Audit `cmd.exe` and `powershell.exe` activity, particularly when spawned by web services or uncommon parent processes.
* **Network Segmentation:** Use internal firewalls to prevent the "chaining" of proxy tools across different network segments.