Webworm targets European governments with Discord malware

ESET has published new research on Webworm, a China-aligned cyber espionage group, detailing attacks against government bodies in Europe and activity in South Africa.

Researchers decrypted more than 400 Discord messages linked to the group and identified an attacker-controlled server used for reconnaissance against more than 50 targets. The material helped link the latest campaign to Webworm and shed light on how the group selected and profiled victims.

Webworm appears to have shifted its operations since it was previously observed targeting organisations in Asia. The latest activity tracked by ESET shows the group focusing on government organisations in Belgium, Italy, Poland, Serbia and Spain, while also compromising a university in South Africa.

The investigation found that Webworm has adopted two backdoors for command-and-control communications: EchoCreep, which uses Discord, and GraphWorm, which uses the Microsoft Graph API. The shift marks a move away from older remote access tools used in earlier campaigns.

EchoCreep used Discord to upload files, send runtime reports and receive commands. GraphWorm, by contrast, used Microsoft OneDrive endpoints to collect tasks and upload data from victims, with a separate OneDrive directory created for each target.

Webworm also continued to rely on proxy tools to move through victim networks and conceal its activity. Alongside existing tools, researchers identified custom proxies including WormFrp, ChainWorm, SmuxProxy and WormSocket.

The number and variety of those tools suggest Webworm may be building a broader hidden network by getting victims to run its proxy infrastructure. Researchers also found that the group staged files on GitHub using a repository forked from the legitimate WordPress codebase, helping the material blend in with normal traffic and content.

One of the more unusual findings involved Amazon Web Services. Webworm used its WormFrp proxy to pull configurations from a compromised AWS S3 bucket and store data taken from victims, shifting storage costs to the account holder whose cloud service had been hijacked.

A review of files in the bucket revealed snapshots from virtual machine hosts, including one containing the current configuration and active state of a machine belonging to a government entity in Italy. Researchers also found that 20 new files had been uploaded over a two-month period, including two taken from a government body in Spain.

The Spanish material included an XML file containing saved configurations of virtual hosts used by mRemoteNG, an open-source remote connection manager, and a Microsoft Visio diagram showing infrastructure linked to a domain used by the organisation.

Attribution trail

ESET attributed the campaign to Webworm after decrypting Discord messages used by EchoCreep for command and control. The messages led researchers to a GitHub repository containing staged tools, including the SoftEther VPN application.

Inside a SoftEther configuration file, researchers found an IP address that matched a known Webworm address. That link, combined with the group's tooling and infrastructure, formed the basis for the attribution.

Recovered commands from the server also offered a view of possible initial access methods, including the use of an open-source vulnerability scanner to identify and approach targets.

Eric Howard, malware researcher at ESET, described what the team found in the recovered server activity. "Through our analysis, we were fortunate enough to recover commands executed from a server that gave a view into the group's potential initial access techniques, using an open-source vulnerability scanner as well as identifying some of its focused targets," Howard said.

In separate comments, Howard also outlined the AWS finding. "Furthermore, during our investigation of the 2025 campaigns, we discovered that Webworm had started using its custom proxy solution WormFrp to retrieve configurations from a compromised AWS S3 bucket, a public cloud storage solution available in Amazon Web Services, with the S3 standing for simple storage service. It is apparent that through this S3 bucket, Webworm can leverage data exfiltration while an unsuspecting victim foots the bill for the service," he said.