CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Webworm APT expands operations with new backdoors and proxy toolkit targeting European governments

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The China-linked APT group Webworm has expanded its targeting to include governmental organizations in Europe, compromising entities in Belgium, Italy, Poland, Serbia, and Spain, alongside a university in South Africa. The group has introduced two new backdoors—EchoCreep, leveraging Discord for C2, and GraphWorm, using Microsoft Graph API and OneDrive endpoints for command-and-control and data exfiltration. Initial access vectors include exploitation of a now-discontinued SquirrelMail vulnerability in at least one confirmed case. Webworm also employs a suite of custom proxy tools (WormFrp, ChainWorm, SmuxProxy, WormSocket) to expand its operational network, with ChainWorm specifically used to extend proxy infrastructure and WormFrp configured to retrieve configurations from an AWS S3 bucket.

Timeline

  1. 20.05.2026 14:30 1 articles · 7h ago

    Webworm APT deploys new backdoors and proxy infrastructure targeting European governments

    Analysis of 2025 activity confirms Webworm’s expansion to governmental targets in Belgium, Italy, Poland, Serbia, and Spain, alongside a university in South Africa. Two new backdoors—EchoCreep (Discord-based C2) and GraphWorm (Microsoft Graph API and OneDrive C2)—were deployed. Initial access in Serbia linked to SquirrelMail vulnerability exploitation. Custom proxy tools (WormFrp, ChainWorm, SmuxProxy, WormSocket) were used to expand operational networks, with ChainWorm extending proxy reach and WormFrp retrieving configurations from a compromised AWS S3 bucket for data exfiltration.

    Show sources
    Open in new tab

Information Snippets

  • Webworm compromised governmental organizations in Belgium, Italy, Poland, Serbia, and Spain, alongside a university in South Africa.

    First reported: 20.05.2026 14:30
    1 source, 1 article
    Show sources

  • Initial access in the Serbian campaign is linked to exploitation of a vulnerability in the now-discontinued SquirrelMail webmail service.

    First reported: 20.05.2026 14:30
    1 source, 1 article
    Show sources

  • Two new backdoors deployed: EchoCreep, using Discord for file uploads, runtime reports, and C2 commands; and GraphWorm, leveraging Microsoft Graph API and OneDrive endpoints for C2 communication and data exfiltration.

    First reported: 20.05.2026 14:30
    1 source, 1 article
    Show sources

  • Over 400 Discord messages were decrypted, revealing reconnaissance activity against more than 50 unique targets and leading to discovery of an attacker-operated server.

    First reported: 20.05.2026 14:30
    1 source, 1 article
    Show sources

  • Attackers used a custom proxy toolkit including WormFrp, ChainWorm, SmuxProxy, and WormSocket to expand operational infrastructure, with ChainWorm extending proxy networks and WormFrp retrieving configurations from an AWS S3 bucket.

    First reported: 20.05.2026 14:30
    1 source, 1 article
    Show sources

  • WormFrp was configured to pull configurations from a compromised AWS S3 bucket, enabling data exfiltration at victim expense.

    First reported: 20.05.2026 14:30
    1 source, 1 article
    Show sources