A Chinese APT group has compromised a Philippines-based military firm using a novel, sophisticated fileless malware framework dubbed “EggStreme”, Bitdefender researchers have warned.
The multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads.
These payloads include a backdoor called “EggStremeAgent”, which enables extensive system reconnaissance, lateral movement and data theft via an injected keylogger.
The researchers said that the modular, fileless and living-off-the-land (LOTL) approach deployed by the framework highlights a significant shift in adversary tradecraft.
“The threat is not a collection of individual executables but a dynamic, multi-stage operation that leverages legitimate tools and system behaviors to remain undetected,” they noted.
The strategic value of the target, its location bounded by the South China Sea, and the tactics used in the attack, are consistent with that of Chinese APT groups.
“The attackers’ primary focus was to achieve persistent access for long-term espionage and surveillance, highlighting the work of a highly professional threat actor whose objectives align with known national interests,” the researchers added.
How the Fileless Malware is Deployed
The Bitdefender report, published on September 10, revealed that the firm’s investigation began in early 2024 after detecting the execution of a logon batch script from an SMB share.
The exact method by which the script was placed on the SMB is unknown.
The script’s primary function was to deploy two files to Windows directory. One of these was a malicious DLL named mscorsvc.dll.
The malicious mscorsvc.dll was the first stage of the attack chain, dubbed “EggStremeFuel,” which sets up the environment for the final payload.
The EggStremeFuel component includes capabilities for system fingerprinting, which allows the attacker to gather information about the compromised machine.
Its most important function is to establish a reverse shell and create a communication channel with the command-and-control (C2) server using read-write pipes. This provides the attacker with a remote command-line interface (CLI) on the compromised system.
The APT actor maintained persistent access by abusing several legitimate Windows services that are not enabled by default. This allowed them to blend into normal system operations while maintaining access.
The attacker then deployed a malicious binary named “EggStremeLoader.” This component is responsible for reading a file that contains both the encrypted “EggStremeReflectiveLoader” and the EggStremeAgent payload.
The final EggStremeAgent implant is a sophisticated backdoor that communicates with the C2 server using the gRPC protocol, an open-source framework for building remote procedure calls (RPCs).
The malware supports 58 distinct commands, including system fingerprinting, privilege escalation, command execution, data exfiltration and process injection.
On several machines, a secondary, more lightweight backdoor was deployed, which is named “EggStremeWizard”. This secondary backdoor provides reverse shell access and file upload/download capabilities.
“The campaign’s success is a direct result of a highly coordinated malware toolkit, not a collection of isolated implants. Each component serves a distinct purpose in the attack chain, from initial execution and persistence to in-memory payload delivery and final remote command and control. A deeper analysis reveals strong ties among the components, suggesting a single, unified development effort,” the researchers noted.
How to Defend Against the EggStreme Toolkit
Bitdefender provided a series of recommendations for security teams to defend against sophisticated fileless malware toolkits such as EggStreme. These include:
- Limiting the use of legitimate but high-risk binaries to proactively reduce your attack surface
- Adopting detection and response capabilities to identify complex attack chains and detect behavioral anomalies that bypass prevention layers
