By Dark Reading
Publication Date: 2026-05-22 07:01:00
A China-backed persistent threat actor known as Webworm is targeting governmental organizations across Europe, and it’s using unusual command-and-control mechanisms to do so.
Security vendor ESET this week published research detailing recent activity surrounding Webworm, a China-aligned APT group first reported on in 2022. Although the group initially began targeting organizations in Asia, ESET’s Eric Howard wrote that the threat actor has shifted its focus to Europe, including governmental organizations in Belgium, Italy, Serbia, Spain, and Poland. Additional additional activity in South Africa has also been detected.
The research predominantly covers Webworm’s activities between early 2024 and early 2025, as well as how its tactics, techniques, and procedures (TTPs) have evolved since 2022. The threat actor originally relied on well-known malware families like McRat and Trochilus, though it has more recently pivoted toward existing and custom proxy tools. In these cases, which were…
