Symantec, by Broadcom Software, has gained insight into the current activities of a group we call Webworm. The group has developed customized versions of three older remote access Trojans (RATs), including Trochilus, Gh0st RAT, and 9002 RAT. At least one of the indicators of compromise (IOCs) observed by Symantec was used in an attack against an IT service provider operating in multiple Asian countries, while others appear to be in pre-deployment or testing stages.
Symantec’s Webworm has links to a group dubbed Space Pirates, which was previously documented in a May 2022 report from Positive Technologies. It is likely that the two groups are one and the same.
Active since at least 2017, Webworm has been known to target government agencies and enterprises involved in IT services, aerospace, and electric power industries located in Russia, Georgia, Mongolia, and a number of other Asian countries.