Webworm is a China-aligned APT group that has evolved its tactics since first being discovered in 2022, shifting focus from Asian targets to European governmental organizations. In 2025, the group deployed two new backdoors: EchoCreep, which uses Discord for command and control, and GraphWorm, which leverages Microsoft Graph API. Researchers decrypted over 400 Discord messages revealing four victims and analyzed a compromised Amazon S3 bucket used for data exfiltration. The group stages tools in GitHub repositories and uses multiple custom proxy solutions including WormFrp, ChainWorm, SmuxProxy, and WormSocket to create hidden networks. Webworm appears to exploit web vulnerabilities using tools like nuclei and dirsearch for initial access, targeting government entities and educational institutions across Europe and South Africa.