EggStreme Malware: Unpacking New APT Framework Targeting Philippine Military Company
Plot Between Philippines and China Is, Indeed, Thickening with Latest Cyber Report

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory, and leveraging DLL sideloading to execute payloads. The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.
A recent report has analysed a sophisticated cyberattack targeting a military company based in the Philippines, which led to the discovery of a new and advanced malware toolset. Based on the target’s strategic value, and the geopolitical context of the South China Sea, the attackers’ tactics, techniques, and procedures (TTPs) are consistent with those of Chinese APT groups. The attackers’ primary focus was to achieve persistent access for long-term espionage and surveillance, highlighting the work of a highly professional threat actor whose objectives align with known national interests.
The core of our findings centres on the EggStreme framework, a tightly integrated set of malicious components. Unlike traditional malware, this framework operates with a clear, multi-stage flow designed to establish a resilient foothold on compromised systems. The attack begins with EggStremeFuel, which deploys EggStremeLoader to set up a persistent service. This loader then executes the EggStremeReflectiveLoader, which in turn launches the main EggStremeAgent.
The EggStremeAgent is the central nervous system of the framework. It operates by monitoring new user sessions, and, for every new session detected, it injects the EggStremeKeylogger into the active explorer.exe process to silently collect keystrokes and other sensitive data. This agent is a full-featured backdoor with a broad range of capabilities. Its 58 commands enable the attackers to perform extensive local and network discovery, enumerate system resources, execute arbitrary shellcode, lateral movement, or inject other payloads, most notably the EggStremeWizard backdoor. The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain.
What makes this framework difficult to detect is its fileless nature. While encrypted malware components are present on the disk, the decrypted malicious code is executed and resides solely in memory, never touching the file system. This, coupled with the heavy use of DLL sideloading, and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant, and persistent, threat.
Technical Analysis Overview
The first sign of malicious activity that triggered our investigation in early 2024 was the execution of a logon batch script from a server message block (SMB) share. The exact method by which the script was placed on the SMB share is unknown, and remains a key area of investigation.
The script’s primary function was to deploy two files to the Windows directory: a legitimate Windows binary, and a malicious dynamic-link library (DLL). This is a classic example of DLL sideloading (read our explainer), a technique where an attacker places a malicious DLL in a location where a legitimate program will search for it. When the legitimate binary is executed, it loads the malicious DLL instead of the system’s original version. This allows the attacker to execute their malicious code under the guise of a trusted programme, bypassing many security controls.
The malicious mscorsvc.dll is the first stage of the attack chain, referred to as EggStremeFuel. This component serves as a loader, and is responsible for setting up the environment for the final payload. EggStremeFuel includes capabilities for system fingerprinting, which allows the attacker to gather information about the compromised machine. Its most critical function is to establish a reverse shell, which it does by invoking a command prompt, and creating a communication channel with the command-and-control (C2) server using read-write pipes. This provides the attacker with a remote command-line interface on the compromised system.
To maintain a persistent presence, the attacker abused several disabled Windows services. This was accomplished by either altering the service’s associated registry key to point to a malicious executable, or by directly replacing the legitimate service binary with their own. In both scenarios, the attacker configured the service to run with SeDebugPrivilege, a highly elevated right that allows a process to debug, and access the memory of, other processes on the system.
The malicious binary executed by these services is named EggStremeLoader. This component is responsible for reading a file that contains both the encrypted EggStremeReflectiveLoader, and the EggStremeAgent payload. After decrypting the reflective loader, it injects it into a trusted process. The EggStremeReflectiveLoader uses a token from its host process to spawn a new, suspended process. It then decrypts, and injects, the final payload, the EggStremeAgent, into this new process.
Extreme Eggstreme
This final implant, named EggStremeAgent, is a sophisticated backdoor that communicates with the C2 server using the gRPC protocol. gRPC is a modern, high-performance, open-source framework for building remote procedure calls (RPCs).
EggStremeAgent is feature-rich, supporting a total of 58 distinct commands. These commands enable a wide range of capabilities, including:
-
System Fingerprinting: Gathering detailed host information.
-
Resource Enumeration: Scanning local and remote network resources.
-
Privilege Escalation: Gaining higher-level permissions.
-
Command Execution: Running arbitrary commands on the system.
-
Data Exfiltration: Stealing sensitive data.
-
File and Directory Manipulation: Creating, deleting, and modifying files.
-
Process Injection: Injecting code into other running processes.
On several machines, a secondary, more lightweight backdoor was observed. The attacker used the legitimate xwizard.exe to sideload a malicious DLL named xwizards.dll, which has been named EggStremeWizard. This secondary backdoor provides reverse shell access, and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience, and ensuring that communication with the attacker can be maintained even if one C2 server is taken offline.



