China-backed APT group Webworm targeted governmental organizations in Europe, including Belgium, Italy, Serbia, Spain, and Poland, between early 2024 and early 2025. They used custom backdoors EchoCreep and GraphWorm for command and control via Discord and Microsoft Graph API, along with SOCKS proxies like SoftEther VPN for stealthy communication and espionage.
Reconnaissance
Vulnerability Scanning
likely
Webworm utilized open-source vulnerability scanners to scrape web server files and directories, identifying potential bugs and weaknesses within target networks.
Defender cut points
Implement regular vulnerability scanning and patch management programsDeploy Web Application Firewalls (WAFs) to protect public-facing applications
