Find notable cyber news and cases, enriched with sources, timelines, and signals.

Webworm expanded European government and South Africa university espionage campaign

Campaign
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

Webworm expanded its 2025 espionage campaign into European government organizations and a university in South Africa, widening the cross-region targeting risk. The operation was observed across Belgium, Italy, Poland, Serbia, and Spain, with investigators describing the activity as semi-opportunistic. The group added EchoCreep and GraphWorm backdoors and used Discord, Microsoft Graph, and OneDrive for command and control and victim data handling. In one case, a SquirrelMail vulnerability was identified as a likely initial-access path.

Related Happenings

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
H score38 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
H score28 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company

Campaign
H score39 First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...

TA416 European government espionage campaign

Campaign
H score32 First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

Timeline

  1. 20.05.2026 14:30 2 articles · 1mo ago

    Webworm campaign disclosure on European and South African targets

    Initial Disclosure

    ESET researchers described China-linked Webworm as expanding in 2025 from Asia into government organizations in Belgium, Italy, Poland, Serbia and Spain, and as compromising a local university in South Africa. The assessment characterized the operation as semi-opportunistic, noted a likely SquirrelMail webmail service initial-access path in one Serbian case, and documented added backdoors and proxy tooling used to support espionage.

    Show sources