Webworm APT Deploys New Backdoors Targeting European Government Agencies
What Happened – ESET uncovered that the China‑aligned Webworm APT (aka Space Pirates/UAT‑8302) introduced two novel backdoors, EchoCreep and GraphWorm, and used a blend of Discord, Microsoft Graph, and compromised cloud services to infiltrate and exfiltrate data from government entities in Belgium, Italy, Poland, Serbia, Spain and South‑Africa during 2025‑2026.
Why It Matters for TPRM –
- State‑level actors are expanding into Europe, raising the risk profile of public‑sector suppliers.
- The use of legitimate cloud and collaboration platforms (GitHub, OneDrive, AWS S3) complicates detection and supply‑chain vetting.
- Persistent backdoors enable long‑term espionage and data theft, potentially exposing sensitive citizen and policy data.
Who Is Affected – Government ministries, public‑sector agencies, and any third‑party vendors that host or process data for these entities (e.g., cloud providers, SaaS collaboration tools).
Recommended Actions –
- Review contracts and security attestations for any government‑related vendors, especially those using cloud storage, VPN, or collaboration services.
- Verify that vendors employ robust C&C monitoring, network segmentation, and zero‑trust controls for third‑party access.
- Conduct threat‑intel‑driven assessments to confirm no lingering Webworm artifacts in your environment.
Technical Notes – The campaign leveraged open‑source vulnerability scanners for initial access, deployed custom proxy tools (WormFrp, ChainWorm, SmuxProxy, WormSocket), and stored staged malware on a GitHub repo. EchoCreep communicated via Discord; GraphWorm abused Microsoft Graph API/OneDrive for command‑and‑control and data exfiltration through a compromised AWS S3 bucket. Source: Help Net Security