{"id":2797,"date":"2025-09-13T12:52:49","date_gmt":"2025-09-13T12:52:49","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/09\/13\/chinese-apt-actor-compromises-military-firm-with-novel-fileless-malware-toolset\/"},"modified":"2025-09-13T12:52:49","modified_gmt":"2025-09-13T12:52:49","slug":"chinese-apt-actor-compromises-military-firm-with-novel-fileless-malware-toolset","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/13\/chinese-apt-actor-compromises-military-firm-with-novel-fileless-malware-toolset\/","title":{"rendered":"Chinese APT Actor Compromises Military Firm with Novel Fileless Malware Toolset"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

A Chinese APT group has compromised a Philippines-based military firm using a novel, sophisticated fileless malware framework dubbed \u201cEggStreme\u201d, Bitdefender researchers have warned.<\/p>\n

The multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads.<\/p>\n

These payloads include a backdoor called \u201cEggStremeAgent\u201d, which enables extensive system reconnaissance, lateral movement and data theft via an injected keylogger.<\/p>\n

The researchers said that the modular, fileless and living-off-the-land (LOTL) approach deployed by the framework highlights a significant shift in adversary tradecraft.<\/p>\n

\u201cThe threat is not a collection of individual executables but a dynamic, multi-stage operation that leverages legitimate tools and system behaviors to remain undetected,\u201d they noted.<\/p>\n

The strategic value of the target, its location bounded by the South China Sea, and the tactics used in the attack, are consistent with that of Chinese APT groups.<\/p>\n

\u201cThe attackers’ primary focus was to achieve persistent access for long-term espionage and surveillance, highlighting the work of a highly professional threat actor whose objectives align with known national interests,\u201d the researchers added.<\/p>\n

How the Fileless Malware is Deployed<\/strong><\/h2>\n

The Bitdefender report, published on September 10, revealed that the firm\u2019s investigation began in early 2024 after detecting the execution of a logon batch script from an SMB share.<\/p>\n

The exact method by which the script was placed on the SMB is unknown.<\/p>\n

The script\u2019s primary function was to deploy two files to Windows directory. One of these was a malicious DLL named mscorsvc.dll.<\/p>\n

The malicious mscorsvc.dll was the first stage of the attack chain, dubbed \u201cEggStremeFuel,\u201d which sets up the environment for the final payload.<\/p>\n

The EggStremeFuel component includes capabilities for system fingerprinting, which allows the attacker to gather information about the compromised machine.<\/p>\n

Its most important function is to establish a reverse shell and create a communication channel with the command-and-control (C2) server using read-write pipes. This provides the attacker with a remote command-line interface (CLI) on the compromised system.<\/p>\n

The APT actor maintained persistent access by abusing several legitimate Windows services that are not enabled by default. This allowed them to blend into normal system operations while maintaining access.<\/p>\n

The attacker then deployed a malicious binary named \u201cEggStremeLoader.\u201d This component is responsible for reading a file that contains both the encrypted \u201cEggStremeReflectiveLoader\u201d and the EggStremeAgent payload.<\/p>\n

The final EggStremeAgent implant is a sophisticated backdoor that communicates with the C2 server using the gRPC protocol, an open-source framework for building remote procedure calls (RPCs).<\/p>\n

The malware supports 58 distinct commands, including system fingerprinting, privilege escalation, command execution, data exfiltration and process injection.<\/p>\n

On several machines, a secondary, more lightweight backdoor was deployed, which is named \u201cEggStremeWizard\u201d. This secondary backdoor provides reverse shell access and file upload\/download capabilities.<\/p>\n

\u201cThe campaign’s success is a direct result of a highly coordinated malware toolkit, not a collection of isolated implants. Each component serves a distinct purpose in the attack chain, from initial execution and persistence to in-memory payload delivery and final remote command and control. A deeper analysis reveals strong ties among the components, suggesting a single, unified development effort,\u201d the researchers noted.<\/p>\n

How to Defend Against the EggStreme Toolkit<\/strong><\/h2>\n

Bitdefender provided a series of recommendations for security teams to defend against sophisticated fileless malware toolkits such as EggStreme. These include:<\/p>\n