Webworm multi-country targeting campaign against government and enterprise victims
Campaign
Summary
Hide ▲
Show ▼
Webworm is running a multi-country targeting campaign against government agencies and enterprises, expanding the risk of persistent access across several regions. The operation has been active since at least 2022 and continued into 2025, with victims spanning IT services, aerospace, and electric power. Its shift toward stealthier tooling and custom backdoors makes the campaign harder to detect and disrupt.
Related Happenings
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
How related:
"In 2025, Webworm also added two new backdoors to its toolset: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose."
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityHow related: "In 2025, Webworm also added two new backdoors to its toolset: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose."
About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
Campaign
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
About this happening:
The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
CampaignAbout this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Russia-linked DRILLAPP campaign targeting Ukrainian entities
Campaign
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
Russia-linked DRILLAPP campaign targeting Ukrainian entities
CampaignAbout this happening: A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
Timeline
-
20.05.2026 15:51 2 articles · 7d ago
Webworm multi-country targeting campaign against government and enterprise victims
Initial DisclosureThe campaign was first publicly documented in **September 2022** and was already assessed as active by that point. Early activity centered on **government agencies and enterprises** in **Russia**, **Georgia**, and **Mongolia**.
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51