Webworm (China-aligned; FishMonger / Aquatic Panda) — pivots to EU government targets

ESET documented Webworm's 2025–2026 pivot to European government victims (Belgian, Italian, Serbian, Polish and Spanish governmental organisations), deploying EchoCreep (Discord-based C2) and GraphWorm (Microsoft Graph / OneDrive C2) backdoors (daily 2026-05-21). The use of Graph/OneDrive as C2 is the defender-relevant shift — it blends with legitimate M365 traffic. Hunt for anomalous Graph API usage patterns and Discord egress from server subnets that have no business reason to reach either.