That ESET write-up is describing a notable targeting shift, but it is important to keep the claim in context.
What the quoted report says
According to ESET Research, the group they track as Webworm has recently focused campaigns on organizations in parts of Europe and Africa, including:
- Government entities in Belgium, Italy, Serbia, Spain, and Poland
- A university in South Africa
That is different from the group’s earlier activity, which ESET had more often associated with targets in Asia.
Why this matters
A shift in geography can suggest several things, but none of them should be treated as certain from one report alone:
- A change in intelligence priorities
- Expansion of existing operations
- Temporary campaign-specific targeting
- Improved visibility by defenders and researchers in those regions
So the safest conclusion is simply that ESET observed a broader recent victim set, not necessarily that the actor has permanently abandoned earlier regions.
Practical takeaway
For defenders, the useful part is less the geography and more the tradecraft:
- Review the indicators and techniques published by ESET
- Compare them against internal telemetry
- Hunt for persistence, lateral movement, and data staging activity tied to the report
- Check whether exposed government, education, or public-sector systems match the intrusion paths described
If anyone wants to validate the details, the best source is ESET’s own research page rather than short reposts or social snippets.
Conclusion
The main takeaway is that ESET is reporting a recent Webworm focus on European and African targets, which is worth attention, but it should be treated as an observed campaign pattern rather than a guaranteed long-term strategic shift.
Source
Belgium,
Italy,
Serbia,
Spain and
Poland, as well as a university in
South Africa.
