A newly uncovered cyber-espionage campaign is attributed to a Chinese-linked Advanced Persistent Threat (APT) group. While the campaign strongly aligns with Chinese APT tactics and regional objectives, researchers have not made a direct attribution to a known APT group. The team infiltrated the network of a defense contractor in the Philippines using the fileless malware platform EggStreme. This breach highlights a focused effort to compromise vital military and defense systems across the Asia-Pacific.
A Philippine defense company involved in military and maritime operations was the main focus of this campaign. Given its strategic role, the intrusion appears linked to geopolitical objectives, possibly connected to disputes in the South China Sea. The incident signals an increase in government-backed attacks on regional defense targets.
EggStreme deploys encrypted components to disk but executes malicious code only in memory, preventing decrypted payloads from reaching the file system and allowing it to bypass conventional antivirus detection. The infection process begins with EggStremeFuel, which establishes the initial connection between the compromised system and the attacker’s command server. EggStremeLoader then maintains persistence on the infected system by exploiting disabled or manually configured Windows services, either by altering service registry keys to point to malicious executables or by replacing legitimate service binaries.
These services run with elevated privileges (SeDebugPrivilege), allowing the malware to maintain stealthy, persistent access across system reboots. EggStremeReflectiveLoader and EggStremeAgent work together to load a backdoor directly into memory, granting the attacker access to 58 control commands, such as keylogging and exfiltrating sensitive data. For each new user session, EggStremeAgent injects the EggStremeKeylogger into the explorer.exe process using a custom reflective loader technique, enabling covert and persistent monitoring. EggStremeAgent communicates securely with its command-and-control server using the Google Remote Procedure Call (gRPC) protocol with mutual TLS (mTLS) authentication, ensuring encrypted and resilient communication with the attacker’s infrastructure.
EggStremeWizard is a secondary backdoor deployed through DLL sideloading alongside the legitimate xwizard.exe, providing attackers with an additional means of remote system access. Stowaway acts as an internal proxy, allowing attackers to redirect traffic and navigate through the network, even bypassing segmentation and firewall protections.
The malware enables attackers to covertly monitor system activity, capture keystrokes, extract sensitive data, and navigate the internal network, posing a significant risk to national security. The attackers extensively use legitimate Windows binaries, such as WinMail.exe and xwizard.exe, for DLL sideloading, blending malicious code with trusted system processes, and complicating traditional detection methods.EggStremeWizard incorporates multiple command-and-control servers, ensuring persistent connectivity even if individual servers are taken offline, thus providing reliable redundancy for attacker control.
This case shows how far state-sponsored cyber groups have advanced. It also points to the urgent need for better detection tools beyond traditional antivirus programs, especially in areas facing increased geopolitical tensions.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
