EggStreme Fileless Malware

A Philippines-based military company has fallen victim to a sophisticated cyber-espionage campaign tied to an advanced persistent threat (APT) group believed to originate from China. The attackers leveraged a previously unknown fileless malware framework dubbed EggStreme, designed to maintain long-term, low-profile access to compromised systems.

The EggStreme Framework: Multi-Stage and Fileless

EggStreme is not a single piece of malware but a tightly integrated framework of components. Its infection chain begins with EggStremeFuel (mscorsvc.dll), which profiles the system before deploying EggStremeLoader to establish persistence. This is followed by EggStremeReflectiveLoader, which triggers the main backdoor, EggStremeAgent.

The framework’s fileless execution ensures that malicious code runs entirely in memory, leaving minimal traces on disk. In addition, the use of DLL sideloading throughout the attack chain complicates detection and forensics.

EggStremeAgent: The Central Nervous System

At the core of the framework lies EggStremeAgent, a fully functional backdoor that operates as the attacker’s primary control hub. It enables system reconnaissance, privilege escalation, and lateral movement while also deploying EggStremeKeylogger to capture keystrokes across active user sessions.

The backdoor communicates with its command-and-control (C2) infrastructure via the Google Remote Procedure Call (gRPC) protocol and supports a staggering 58 commands, ranging from data exfiltration and shellcode execution to payload injection.

One auxiliary implant, EggStremeWizard (xwizards.dll), provides attackers with a reverse shell and file transfer capabilities. Its design incorporates multiple C2 servers, ensuring resilience even if one server is disrupted.

Capabilities of EggStremeFuel

The initial module, EggStremeFuel, is tasked with reconnaissance and establishing communication with the attackers’ infrastructure. It allows the operators to:

• Gather system drive information.
• Start cmd.exe and maintain communication through pipes.
• Transmit the machine’s external IP address using myexternalip.com/raw.
• Read local and remote files, saving or transmitting their content.
• Dump in-memory configuration data to disk.
• Shut down connections when required.

Tactics, Techniques, and Tools

The threat actors consistently employ DLL sideloading by launching legitimate binaries that load malicious DLLs. They also integrate the Stowaway proxy utility to secure a foothold within internal networks. Combined with the malware’s fileless execution flow, these techniques allow the operation to blend into normal system activity and evade detection by traditional security tools.

Geopolitical Context and Attribution Challenges

Targeting of Philippine entities by Chinese-linked groups is not new and is likely influenced by ongoing territorial disputes in the South China Sea involving China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei.

Although this specific campaign has not been attributed to any known Chinese APT group, the objectives and interests strongly align with those historically associated with Chinese state-sponsored actors. Researchers began tracking the activity in early 2024 but have yet to link it conclusively to an existing threat group.

A Persistent and Evasive Threat

The EggStreme malware family highlights a high level of sophistication, persistence, and adaptability. Its reliance on fileless techniques, multi-stage execution, and redundant C2 infrastructure underscores the operators’ advanced knowledge of modern defensive measures. For defenders, this campaign serves as a reminder of the evolving threat landscape and the importance of proactive detection and response strategies.