Sep 10, 2025Ravie LakshmananCybersecurity / Malware
A complicated persistent menace (APT) group from China has been attributed to the compromise of a Philippines-based army firm utilizing a beforehand undocumented fileless malware framework referred to as EggStreme.
“This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code immediately into reminiscence and leveraging DLL sideloading to execute payloads,” Bitdefender researcher Bogdan Zavadovschi mentioned in a report shared with The Hacker Information.
“The core part, EggStremeAgent, is a full-featured backdoor that permits in depth system reconnaissance, lateral motion, and knowledge theft through an injected keylogger.”
The focusing on of the Philippines is one thing of a recurring sample for Chinese language state-sponsored hacking teams, notably in gentle of geopolitical tensions fueled by territorial disputes within the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei.
The Romanian cybersecurity vendor, which first detected indicators of malicious exercise in early 2024, described EggStreme as a tightly built-in set of malicious elements that is engineered to ascertain a “resilient foothold” on contaminated machines.
The place to begin of the multi-stage operation is a payload referred to as EggStremeFuel (“mscorsvc.dll”) that conducts system profiling and deploys EggStremeLoader to arrange persistence after which executes EggStremeReflectiveLoader, which, in flip, triggers EggStremeAgent.
EggStremeFuel’s features are realized by opening an energetic communication channel with a command-and-control (C2), enabling it to –
Get drive info
Begin cmd.exe and set up communication through pipes
Gracefully shut all connections and shutdown
Learn a file from server and reserve it to disk
Learn an area file from a given path and transmit its content material
Ship the exterior IP deal with by making a request to myexternalip[.]com/uncooked
Dump the in-memory configuration to disk
Calling EggStremeAgent the “central nervous system” of the framework, the backdoor works by monitoring new consumer periods and injects a keylogger part dubbed EggStremeKeylogger for every session to reap keystrokes and different delicate knowledge. It communicates with a C2 server utilizing the Google Distant Process Name (gRPC) protocol.
It helps a formidable 58 instructions that allow a broad vary of capabilities to facilitate native and community discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral motion, knowledge exfiltration, and payload injection, together with an auxiliary implant codenamed EggStremeWizard (“xwizards.dll”).
“The attackers use this to launch a professional binary that sideloads the malicious DLL, a method they constantly abuse all through the assault chain,” Zavadovschi famous.
“This secondary backdoor supplies reverse shell entry and file add/obtain capabilities. Its design additionally incorporates a listing of a number of C2 servers, enhancing its resilience and guaranteeing that communication with the attacker may be maintained even when one C2 server is taken offline.”
The exercise can be characterised by way of the Stowaway proxy utility to ascertain an inner community foothold. Complicating detection additional is the fileless nature of the framework, inflicting malicious code to be loaded and executed immediately in reminiscence with out leaving any traces on disk.
“This, coupled with the heavy use of DLL side-loading and the delicate, multi-stage execution circulation, permits the framework to function with a low profile, making it a big and protracted menace,” Bitdefender mentioned.
“The EggStreme malware household is a extremely refined and multi-component menace designed to attain persistent entry, lateral motion, and knowledge exfiltration. The menace actor demonstrates a sophisticated understanding of recent defensive strategies by using a wide range of techniques to evade detection.”
