EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

Sept. 10, 2025, 8:14 p.m.

Description

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This sophisticated multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading. The core component, EggStremeAgent, is a full-featured backdoor enabling extensive system reconnaissance, lateral movement, and data theft via an injected keylogger. The attack begins with EggStremeFuel deploying EggStremeLoader to set up a persistent service, which then executes EggStremeReflectiveLoader to launch EggStremeAgent. The framework's fileless nature and use of legitimate Windows processes make it difficult to detect, posing a significant and persistent threat.

External References

https://www.bitdefender.com/en-us/blog/businessinsights/eggstreme-fileless-malware-cyberattack-apac
https://otx.alienvault.com/pulse/68c1d94aeea0cbf6a74fd693
Tags
backdoor
apt
espionage
dll sideloading
keylogger
military
stowaway
fileless malware
2025-09-10
philippines
eggstremefuel
eggstremereflectiveloader
eggstreme
eggstremewizard
eggstremeloader
eggstremekeylogger
eggstremeagent

Date

  • Created: Sept. 10, 2025, 8:02 p.m.
  • Published: Sept. 10, 2025, 8:02 p.m.
  • Modified: Sept. 10, 2025, 8:14 p.m.

Indicators

  • 103.78.242.128
  • 103.169.90.164
  • 103.131.95.114
  • 103.103.0.225
  • traveldog.org
  • theuklg.com
  • sinhluc.net
  • sealtribute.org
  • safiasol.com
  • powerontheroad.org
  • fionamcleod.net
  • fetraa.com
Download all indicators here!

Attack Patterns

Additional Informations

  • Defense
  • Philippines