Chinese APT Deploys EggStreme Fileless Malware to Breach Philippine Military Systems

An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme. "This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads," Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News. "The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger." The targeting of the Philippines is something of a recurring pattern for Chinese state-sponsored hacking groups, particularly in light of geopolitical tensions fueled by territorial disputes in the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei. The Romanian cybersecurity vendor, which first detected signs of malicious activity in early 2024, described EggStreme as a tightly integrated set of malicious components that's engineered to establish a "resilient foothold" on infected machines. The starting point of the multi-stage operation is a payload called EggStremeFuel ("mscorsvc.dll") that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent. EggStremeFuel's functions are realized by opening an active…Read More