GoKawiilA China-backed persistent threat actor known as Webworm is targeting governmental organizations across Europe, and it's using unusual command-and-control mechanisms to do so.
Security vendor ESET this week published research detailing recent activity surrounding Webworm, a China-aligned APT group first reported on in 2022. Although the group initially began targeting organizations in Asia, ESET's Eric Howard wrote that the threat actor has shifted its focus to Europe, including governmental organizations in Belgium, Italy, Serbia, Spain, and Poland. Additional additional activity in South Africa has also been detected.
The research predominantly covers Webworm's activities between early 2024 and early 2025, as well as how its tactics, techniques, and procedures (TTPs) have evolved since 2022. The threat actor originally relied on well-known malware families like McRat and Trochilus, though it has more recently pivoted toward existing and custom proxy tools. In these cases, which were mainly observed in 2024, Webworm relied on "legitimate or semi-legitimate tools, such as SOCKS proxies (SoftEther VPN) and other networking solutions."
Related:Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia
The downside to a lot of conventional, well-known malware is that it generally has signatures, artifacts, and traffic patterns that are easy for defenders to detect. But proxy tools are network tunneling tools that act as a middleman between victim and attacker. These are often more manual and require the attacker to bring their own tooling and are generally much stealthier than the typical backdoor.
In 2025, however, Webworm introduced two new backdoors to its repertoire. One is EchoCreep, which uses the popular chat application Discord to facilitate command and control (C2). The other is GraphWorm, which relies on the Microsoft Graph API for C2. ESET also observed Webworm staging malware and tools in GitHub repositories so the attackers can easily download malware onto the victim's machine.
Webworm's Discord and Microsoft Graph C2
Webworm continues the trend of threat actors using novel approaches to facilitate C2. Creative C2 approaches seen over the last year or two include Google Calendar and the Solana blockchain.
ESET made its attribution based on its work decrypting Discord messages used by EchoCreep for C2, which ultimately led to a GitHub repository and the discovery of an IP address that matches a "known Webworm IP," Howard wrote.
The research mainly covers Webworm's 2025 activities, when it apparently abandoned Trochilus and McRat in favor of the new backdoors. The Chinese APT continues to use proxy solutions for encrypting communications as well as to support chaining between hosts internally and externally to a network. These proxy solutions include port forwarding and proxy tool iox as well as custom tools ChainWorm, SmuxProxy, WormFrp, and WormSocket.
... continue reading