Chinese APT Group Deploys EggStreme Fileless Malware to Compromise Philippine Military Systems
An advanced persistent threat (APT) group from China has been linked to the compromise of a military company based in the Philippines, employing a previously undocumented fileless malware framework known as EggStreme. This sophisticated multi-stage toolset facilitates persistent and low-profile espionage by injecting malicious code directly into memory and utilising DLL sideloading to execute payloads. According to Bitdefender researcher Bogdan Zavadovschi, the core component, EggStremeAgent, functions as a comprehensive backdoor that allows for extensive system reconnaissance, lateral movement, and data theft through an injected keylogger. The targeting of the Philippines aligns with a recurring pattern observed in Chinese state-sponsored hacking groups, particularly amid ongoing geopolitical tensions in the South China Sea involving multiple nations.
The Romanian cybersecurity vendor first detected signs of malicious activity in early 2024, describing EggStreme as a tightly integrated set of malicious components designed to establish a “resilient foothold” on infected machines. The operation begins with a payload called EggStremeFuel (“mscorsvc.dll”), which conducts system profiling and deploys EggStremeLoader to ensure persistence before executing EggStremeReflectiveLoader, ultimately triggering EggStremeAgent. EggStremeFuel establishes an active communication channel with a command-and-control (C2) server, enabling various functions such as retrieving drive information, executing commands, and transmitting sensitive data. EggStremeAgent, referred to as the “central nervous system” of the framework, monitors new user sessions and injects a keylogger component, EggStremeKeylogger, to capture keystrokes. The framework supports an extensive array of commands, facilitating local and network discovery, privilege escalation, and data exfiltration, while an auxiliary implant, EggStremeWizard (“xwizards.dll”), provides additional capabilities, including reverse shell access and file management.
Categories: Cybersecurity Threats, Malware Frameworks, Espionage Techniques
Tags: Advanced Persistent Threat, Fileless Malware, EggStreme, Backdoor, Keylogger, Command-and-Control, Cybersecurity, Espionage, Lateral Movement, Data Exfiltration