Husain Parvez
Published on: September 16, 2025
A newly discovered malware framework named EggStreme has been linked to the compromise of a Philippine military company, according to researchers at Bitdefender. The fileless, multi-stage toolset is assessed to align with Chinese APT objectives, though researchers say attribution to a known group remains unconfirmed.
“This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads,” Bitdefender researcher Bogdan Zavadovschi explained in the published report. He added that “the core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.”
The attack chain begins with a malicious DLL called EggStremeFuel, which is sideloaded by a legitimate Windows binary to open a reverse shell and profile the infected machine. It then launches EggStremeLoader and EggStremeReflectiveLoader, which decrypt and inject the main EggStremeAgent implant into trusted processes like winlogon.exe or MsMpEng.exe. This backdoor supports 58 distinct commands, including process injection, privilege escalation, file operations, and exfiltration.
Each new user session triggers the injection of EggStremeKeylogger into explorer.exe, enabling the capture of keystrokes, clipboard data, and system details. A secondary implant, EggStremeWizard, provides backup access through DLL sideloading of xwizard.exe, while the attackers also deploy the Stowaway proxy tool to tunnel internal traffic and aid lateral movement.
The framework relies on encrypted communications using gRPC over mutual TLS, with infrastructure tied to domains such as whosecity[.]org, webpirat[.]net, and fsstore[.]org. Analysts first detected malicious activity in early 2024, when a logon batch script from an SMB share deployed initial files to the target environment.
Bitdefender’s Martin Zugec told The Hacker News that attribution was left open, noting, “we put quite a lot of effort into attribution efforts, but couldn’t find anything. However, objectives align with Chinese APTs.”
