EXECUTIVE SUMMARY
A China-aligned APT group, known as Webworm, has been actively targeting organisations in various sectors across Asia and Europe since at least 2022. The group's primary goal appears to be data theft, with a focus on compromising governmental organisations and other high-profile targets. Webworm's tactics have evolved significantly over time, with the group adopting new tools and techniques to evade detection. In 2025, the group began using Discord-based and Microsoft Graph API-based backdoors, as well as custom proxy solutions to maintain persistence and lateral movement.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A China-aligned APT group, known as Webworm, has been actively targeting organisations in various sectors across Asia and Europe since at least 2022. The group's primary goal appears to be data theft, with a focus on compromising governmental organisations and other high-profile targets. Webworm's tactics have evolved significantly over time, with the group adopting new tools and techniques to evade detection. In 2025, the group began using Discord-based and Microsoft Graph API-based backdoors, as well as custom proxy solutions to maintain persistence and lateral movement.[emaillocker id="1283"]
The malware infection begins with the compromise of a victim's system, typically through exploitation of vulnerabilities or phishing attacks. Once inside, the malware establishes persistence and begins to exfiltrate sensitive data, often using cloud storage services such as OneDrive. The attackers maintain control through the use of command and control (C2) servers, which are often hosted on cloud services operated by Vultr and IT7 Network. Webworm's tools and techniques are designed to be stealthy and difficult to detect, making it challenging for organisations to identify and respond to the threat.
The Webworm threat is significant due to its targeted nature and the potential for data theft. Organisations in high-profile sectors, such as government and finance, are particularly vulnerable to this threat. The group's use of custom proxy solutions and cloud storage services makes it difficult to detect and recover from the attack. To mitigate this risk, organisations should prioritise patching and monitoring, implement robust endpoint protection, and maintain regular backups to ensure business continuity.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Resource Development | T1588.001 | Obtain Capabilities | Malware |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Collection | T1119 | Automated Collection | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
REFERENCES:
reports contain further technical details:
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/