EggStreme: New Fileless Malware from a Chinese APT Targets Philippine Military • Daily CyberSecurity

Bitdefender Threat researchers have detailed a new and highly sophisticated fileless malware framework named EggStreme, used by a Chinese APT group to compromise a Philippine military company. The discovery highlights both the technical evolution of espionage-focused malware and the geopolitical tensions surrounding the South China Sea.

The campaign was first detected in early 2024, when suspicious activity was observed on the victim’s network. According to Bitdefender, “A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads.”

The choice of target underscores the strategic value of the Philippines in the South China Sea dispute. Bitdefender notes: “Based on the target’s strategic value and the geopolitical context of the South China Sea, the attackers’ tactics, techniques, and procedures (TTPs) are consistent with those of Chinese APT groups.”

EggStreme is not a single malware sample but a modular, multi-stage framework designed for stealth and persistence. The attack begins with EggStremeFuel, a malicious DLL sideloaded by a legitimate executable. This sets up a reverse shell and delivers the next stage, EggStremeLoader, which decrypts additional payloads stored in disguised system files.

The chain continues with EggStremeReflectiveLoader, which injects the final core implant, EggStremeAgent, directly into trusted processes such as winlogon.exe or explorer.exe.

Bitdefender explains: “The EggStremeAgent is the central nervous system of the framework. It operates by monitoring new user sessions and, for every new session detected, it injects the EggStremeKeylogger into the active explorer.exe process to silently collect keystrokes and other sensitive data.”

EggStremeAgent is a full-featured backdoor with 58 distinct commands, enabling:

System reconnaissance and fingerprinting
Arbitrary command execution
Lateral movement across the network
File manipulation and data exfiltration
Process injection and privilege escalation

The framework also deploys EggStremeWizard, a secondary lightweight backdoor, ensuring persistence even if the main implant is removed. Additionally, the EggStremeKeylogger captures keystrokes, clipboard data, and file activity in real time, while the Stowaway proxy tool allows attackers to bypass network segmentation and pivot deeper into the environment.

Unlike traditional malware, EggStreme is designed to be fileless. While encrypted payloads are stored on disk, the malicious code is always decrypted and executed in memory, leaving minimal forensic traces. The framework also heavily abuses DLL sideloading and living-off-the-land binaries (LOLBins) to blend malicious actions with legitimate system activity.

As the report emphasizes, “What makes this framework difficult to detect is its fileless nature… coupled with the heavy use of DLL sideloading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat.”

The targeting of a Philippine military organization strongly suggests state alignment. Bitdefender stresses that the attackers’ objectives were not financial but espionage-driven, with the goal of long-term surveillance and data theft in a region of high geopolitical tension.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Critical Alert 1 Active Exploit Detected Today

Leave a Reply Cancel reply

Critical Alert 1 Active Exploit Detected Today

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply