HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Chinese-Linked Webworm APT Deploys New Backdoors Against European Government Agencies

ESET reports that the China‑aligned Webworm APT introduced two novel backdoors—EchoCreep and GraphWorm—and used Discord, Microsoft Graph, and compromised AWS S3 buckets to infiltrate and exfiltrate data from government bodies across Belgium, Italy, Poland, Serbia, Spain and South Africa. The campaign highlights the growing threat of state‑sponsored espionage leveraging legitimate cloud services.

LiveThreat™ Intelligence · 📅 May 20, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
helpnetsecurity.com

Webworm APT Deploys New Backdoors Targeting European Government Agencies

What Happened – ESET uncovered that the China‑aligned Webworm APT (aka Space Pirates/UAT‑8302) introduced two novel backdoors, EchoCreep and GraphWorm, and used a blend of Discord, Microsoft Graph, and compromised cloud services to infiltrate and exfiltrate data from government entities in Belgium, Italy, Poland, Serbia, Spain and South‑Africa during 2025‑2026.

Why It Matters for TPRM

  • State‑level actors are expanding into Europe, raising the risk profile of public‑sector suppliers.
  • The use of legitimate cloud and collaboration platforms (GitHub, OneDrive, AWS S3) complicates detection and supply‑chain vetting.
  • Persistent backdoors enable long‑term espionage and data theft, potentially exposing sensitive citizen and policy data.

Who Is Affected – Government ministries, public‑sector agencies, and any third‑party vendors that host or process data for these entities (e.g., cloud providers, SaaS collaboration tools).

Recommended Actions

  • Review contracts and security attestations for any government‑related vendors, especially those using cloud storage, VPN, or collaboration services.
  • Verify that vendors employ robust C&C monitoring, network segmentation, and zero‑trust controls for third‑party access.
  • Conduct threat‑intel‑driven assessments to confirm no lingering Webworm artifacts in your environment.

Technical Notes – The campaign leveraged open‑source vulnerability scanners for initial access, deployed custom proxy tools (WormFrp, ChainWorm, SmuxProxy, WormSocket), and stored staged malware on a GitHub repo. EchoCreep communicated via Discord; GraphWorm abused Microsoft Graph API/OneDrive for command‑and‑control and data exfiltration through a compromised AWS S3 bucket. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/20/webworm-apt-campaign-targets-europe/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →