Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Webworm expanded European government and South Africa university espionage campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

Webworm expanded its 2025 espionage campaign into European government organizations and a university in South Africa, widening the cross-region targeting risk. The operation was observed across Belgium, Italy, Poland, Serbia, and Spain, with investigators describing the activity as semi-opportunistic. The group added EchoCreep and GraphWorm backdoors and used Discord, Microsoft Graph, and OneDrive for command and control and victim data handling. In one case, a SquirrelMail vulnerability was identified as a likely initial-access path.

Related Happenings

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Open Happening

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

Open Happening

FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...

Open Happening

TA416 European government espionage campaign

Campaign
First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

Open Happening

UAC-0050 spear-phishing campaign targeting European financial institutions

Campaign
First: 24.02.2026 16:21 Last: 24.02.2026 16:21 Sources 1

About this happening: The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...

Open Happening

Timeline

  1. 20.05.2026 14:30 2 articles · 7d ago

    Webworm campaign disclosure on European and South African targets

    Initial Disclosure

    ESET researchers described China-linked Webworm as expanding in 2025 from Asia into government organizations in Belgium, Italy, Poland, Serbia and Spain, and as compromising a local university in South Africa. The assessment characterized the operation as semi-opportunistic, noted a likely SquirrelMail webmail service initial-access path in one Serbian case, and documented added backdoors and proxy tooling used to support espionage.

    Show sources
    Open in new tab