Webworm

Webworm is a China-aligned APT group active since at least 2017 according to Symantec reporting, and since at least 2022 according to ESET reporting. It is tracked as Space Pirates and UAT-8302, and reporting links it to SixLittleMonkeys and FishMonger; Symantec assessed Webworm and Space Pirates are likely the same entity. Webworm has targeted government agencies and enterprises, including organizations in the IT services, aerospace, and electric power sectors, with victims reported in Russia, Georgia, Mongolia, other Asian countries, and more recently Europe and South Africa. ESET observed 2025 targeting of government organizations in Belgium, Italy, Poland, Serbia, Spain, and activity involving a local university in South Africa. Webworm historically used customized versions of older RATs including Trochilus, Gh0st RAT, and 9002 RAT/McRat. Symantec described multi-stage droppers using legitimate executables and malicious DLL side-loading, staged shellcode execution, token theft from WINLOGON.EXE, CreateProcessAsUserW, UAC bypass components, file copying into C:\ProgramData\Logger, and in-memory execution of a modified Trochilus variant that injected into svchost.exe and supported command execution and file download. Symantec also reported modified Gh0st RAT and 9002 RAT droppers, including protocol changes to 9002 RAT to evade detection. More recent reporting shows a shift toward stealthier proxy and cloud-backed tooling. In 2025 Webworm introduced the backdoors EchoCreep and GraphWorm. EchoCreep is a Go-based backdoor that uses Discord for command and control and supports file upload, runtime reporting, and command execution. GraphWorm uses Microsoft Graph API and OneDrive for command and control, creates per-victim OneDrive folders and subfolders for tasking and results, persists via logon execution and Windows Run keys, and supports file transfer and shell command execution. Reporting also describes Webworm’s use of custom proxy tools WormFrp, ChainWorm, SmuxProxy, and WormSocket, alongside open-source tools such as frp, iox, and SoftEther VPN. ESET assessed the breadth and complexity of this proxy tooling suggests Webworm may be building a covert proxy network from compromised systems. Observed tradecraft includes abuse of public services such as Discord, Microsoft Graph, OneDrive, Slack, and a compromised AWS S3 bucket for command and control, configuration retrieval, and likely exfiltration. ESET decrypted more than 400 Discord messages tied to Webworm C2 and identified reconnaissance against more than 50 targets. Reporting states the group used dirsearch and nuclei for reconnaissance and vulnerability discovery, and a LegalHackers CVE-2017-7692 SquirrelMail post-authentication RCE script was found and may have been used against a Serbian webmail target. Webworm also used an attacker-operated GitHub repository masquerading as a WordPress fork to stage malware and tools. ESET reported exfiltration to the compromised S3 bucket, including files stolen from government entities in Spain and virtual machine snapshots tied to an Italian government entity. Additional reporting ties Webworm to infrastructure and tooling overlaps with ShadowPad/SNAPPYBEE-related tracking, and one source explicitly lists cross-tracker associations to Space Pirates and ShadowPad/SNAPPYBEE.