Webworm

Webworm is a China-aligned APT group active since at least 2017. It is also tracked as Space Pirates and UAT-8302, and reporting notes links and tradecraft commonalities with FishMonger and SixLittleMonkeys; Symantec assessed Webworm and Space Pirates are likely the same entity. Webworm has targeted government agencies and enterprises, including organizations in the IT services, aerospace, and electric power sectors, with victims reported in Russia, Georgia, Mongolia, other Asian countries, and more recently Europe and South Africa. Reported 2025 targeting included government organizations in Belgium, Italy, Poland, Serbia, and Spain, as well as a university in South Africa; separate reporting also noted targeting of a Serbian government organization using SoftEther VPN. Historically, Webworm developed customized versions of older RATs including Trochilus, Gh0st RAT, and 9002 RAT. Symantec described multi-stage delivery chains using DLL sideloading, staged shellcode, token theft from WINLOGON.EXE, CreateProcessAsUserW, UAC bypasses, file staging under C:\ProgramData\Logger, and final payload execution in memory. Modified Trochilus variants searched for configuration files under ProgramData, decompressed configuration data with LZW, injected into svchost.exe, and supported command execution and file download. Symantec also reported similarly structured droppers for modified Gh0st RAT and 9002 RAT, and stated Webworm altered the 9002 RAT communication protocol and encryption details to evade detection. More recent reporting indicates Webworm shifted away from traditional RATs toward legitimate, semi-legitimate, and custom proxy tooling. ESET reported that in 2025 the group introduced two new backdoors, EchoCreep and GraphWorm. EchoCreep uses Discord for command and control and supports file upload, runtime reporting, and command execution. GraphWorm uses Microsoft Graph API and OneDrive for command and control, creates a separate OneDrive folder per victim, stages tasks and results in subfolders, persists via user logon and registry Run keys, and supports file transfer and shell command execution. ESET also reported Webworm using custom proxy tools including WormFrp, ChainWorm, SmuxProxy, and WormSocket, alongside iox, frp, and SoftEther VPN. Reporting assessed that the breadth and complexity of these proxy tools suggest Webworm may be building a covert proxy network from compromised systems. ESET reported that Webworm used a GitHub repository masquerading as a WordPress fork to stage malware and tools, and that WormFrp retrieved encrypted configuration from a compromised AWS S3 bucket that was also used for data exfiltration. Recovered operator activity showed reconnaissance and vulnerability scanning against more than 50 targets using tools such as dirsearch and nuclei, and reporting noted the presence of a SquirrelMail CVE-2017-7692 proof-of-concept exploit that may have supported initial access against a Serbian target. Public reporting also described Webworm backdoors abusing publicly available services such as Slack, Discord, and Microsoft Graph for command and control.