10.09.2025
2 min
551
A Chinese APT group has carried out a new operation against a Philippine military company using the unique fileless malware framework EggStreme. The attack allowed attackers to carry out espionage, data theft and covert operations on the network, bypassing traditional means of detection.
According to Bitdefender, the campaign is built on a multi-layered infrastructure that includes the components EggStremeFuel, EggStremeLoader, EggStremeReflectiveLoader and the key backdoor EggStremeAgent.
EggStremeAgent capabilities:
reading data from disk and sending it to the C2 server;
monitoring new user sessions;
EggStremeKeylogger keylogger to collect keystrokes;
executing arbitrary shell code;
moving within the network (lateral movement);
privileged command execution and file exfiltration.
Additionally, the EggStremeWizard implant is used, which provides reverse shell and file sharing, as well as Stowaway proxy for hidden access inside corporate systems.
A feature of the attack is the fileless nature, when the code is completely loaded into memory without saving to disk. Combined with DLL-sideloading, this makes EggStreme extremely stable and inconspicuous. This is not the first time that the Philippines has become a target of Chinese cyber operations. This is directly related to geopolitical conflicts in the South China Sea, where the struggle for territorial control between China, Vietnam, Taiwan, Malaysia and Brunei continues.
⠀
Bitdefender notes that although there is no direct attribution to known Chinese groups yet, the goals and methods correspond to the typical strategy of APTs from China: long-term espionage, data theft and increased pressure through cyber campaigns.
EggStreme is an example of the modern evolution of spyware that bypasses classic antivirus tools and poses a threat to defense structures. The attack shows that APT campaigns are becoming more stealthy and sophisticated, and countries in the region need to strengthen cyber defense of critical infrastructure.
