ESET uncovers the expanded arsenal of China-aligned Webworm; European governments targeted
ESET researchers have uncovered an expansion in the operations of Webworm, a China-aligned advanced persistent threat (APT) group that has shifted its focus from Asian targets to European government organizations. The cybersecurity firm's analysis of the group's 2025 activity reveals successful compromises of government entities across Belgium, Italy, Poland, Serbia, and Spain, while also expanding operations to South Africa where they breached a local university. ESET's investigation demonstrates how Webworm has evolved its tactics to leverage popular cloud services for command and control operations. Since 2024, the threat actors have deployed backdoors that abuse Discord messaging platform and Microsoft Graph API for C&C communications, allowing them to blend malicious traffic with legitimate cloud service usage. Security researchers successfully decrypted more than 400 Discord messages during their analysis, uncovering evidence of an attacker-controlled server infrastructure used for reconnaissance activities targeting over 50 unique organizations.
Why It Matters
This discovery highlights the evolving sophistication of state-aligned threat actors who are increasingly leveraging legitimate cloud services to evade detection while expanding their geographic targeting scope. The shift from traditional C&C infrastructure to popular platforms like Discord and Microsoft Graph API represents a significant challenge for security teams, as blocking these services could disrupt legitimate business operations. The targeting of European government organizations also underscores the geopolitical cyber espionage landscape and the need for enhanced security measures in critical government infrastructure.
This summary is generated using AI analysis of the original press release. Always refer to the original source for complete details.