Chinese APT Deploys EggStreme Fileless Malware to Breach Philippine Military Systems - The Hacker News

Chinese APT Deploys EggStreme Fileless Malware to Breach Philippine Military Systems Ravie LakshmananSep 10, 2025Cybersecurity / Malware An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme. "This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads," Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News. "The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger." The targeting of the Philippines is something of a recurring pattern for Chinese state-sponsored hacking groups, particularly in light of geopolitical tensions fueled by territorial disputes in the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei. That said, the latest activity has not been attributed to any known Chinese hacking group. "We put quite a lot of effort into attribution efforts, but couldn't find anything," Martin Zugec, technical solutions director at Bitdefender, told The Hacker News. "However, objectives align with Chinese APTs. For this one, our attribution is based on interests/objectives." The Romanian cybersecurity vendor, which first detected signs of malicious activity in early 2024, described EggStreme as a tightly integrated set of malicious components that's engineered to establish a "resilient foothold" on infected machines. The exact initial access vector used in the attack remains unknown at this stage. The starting point of the multi-stage operation is a payload called EggStremeFuel ("mscorsvc.dll") that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent. EggStremeFuel's functions are realized by opening an active communication channel with a command-and-control (C2), enabling it to - Get drive information Start cmd.exe and establish communication via pipes Gracefully close all connections and shutdown Read a file from server and save it to disk Read a local file from a given path and transmit its content Send the external IP address by making a request to myexternalip[.]com/raw Dump the in-memory configuration to disk Calling EggStremeAgent the "central nervous system" of the framework, the backdoor works by monitoring new user sessions and injects a keylogger component dubbed EggStremeKeylogger for each session to harvest keystrokes and other sensitive data. It communicates with a C2 server using the Google Remote Procedure Call (gRPC) protocol. It supports an impressive 58 commands that enable a broad range of capabilities to facilitate local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data exfiltration, and payload injection, including an auxiliary implant codenamed EggStremeWizard ("xwizards.dll"). "The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain," Zavadovschi noted. "This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience and ensuring that communication with the attacker can be maintained even if one C2 server is taken offline." The activity is also characterized by the use of the Stowaway proxy utility to establish an internal network foothold. Complicating detection further is the fileless nature of the framework, causing malicious code to be loaded and executed directly in memory without leaving any traces on disk. "This, coupled with the heavy use of DLL side-loading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat," Bitdefender said. "The EggStreme malware family is a highly sophisticated and multi-component threat designed to achieve persistent access, lateral movement, and data exfiltration. The threat actor demonstrates an advanced understanding of modern defensive techniques by employing a variety of tactics to evade detection." (The story was updated after publication to include additional insights from Bitdefender.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, cybersecurity, data exfiltration, DLL Sideloading, keylogger, Malware Trending News Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Load More ▼ Popular Resources Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing