Particle.news
Download on the App Store
4 ARTICLES
·
3w ago

Bitdefender Unveils ‘EggStreme,’ a Fileless Espionage Toolkit Used to Breach Philippine Military Company

Researchers attribute the active campaign to a China-based APT, advising use of newly published indicators with memory-based detections.

Image
Chinese APT Hits Philippine Military Firm with New EggStreme Fileless Malware
Image
Image

Overview

  • The multi-stage framework uses components dubbed EggStremeFuel, EggStremeLoader and EggStremeReflectiveLoader to deploy the main EggStremeAgent payload entirely in memory via DLL sideloading.
  • EggStremeAgent functions as a full-featured backdoor with 58 commands, injects a keylogger into new Windows user sessions and communicates over encrypted gRPC channels.
  • Operators maintain persistence and resilience with a secondary backdoor called EggStremeWizard that abuses xwizard.exe for DLL sideloading and keeps multiple fallback servers.
  • The toolkit leverages the Stowaway proxy to route traffic inside victim networks, supporting lateral movement and evasion inside segmented environments.
  • Bitdefender first saw activity in early 2024, has released indicators of compromise on its IntelliZone Portal and GitHub, reports the campaign remains active in APAC targets, and notes the initial infection vector and exact nature of the Philippine target are not disclosed.