An advanced persistent threat group from China has been linked to compromising a Philippines-based military services company using EggStreme, a previously undocumented fileless malware framework, Bitdefender researchers said in a report. The researchers described EggStreme as a tightly integrated set of malicious components engineered to establish a resilient foothold while operating in memory and avoiding disk traces.
The toolset begins with EggStremeFuel, dubbed mscorsvc.dll, which conducts system profiling and then deploys EggStremeLoader to set up persistence. It is followed by EggStremeReflectiveLoader, which in turn triggers EggStremeAgent, the backdoor that provides broad reconnaissance, lateral movement and data theft capabilities.
EggStremeAgent is described as the framework’s central nervous system, monitoring new user sessions and injecting a keylogger component, EggStremeKeylogger, to harvest keystrokes and other sensitive data. The backdoor communicates with its command-and-control network using a Google Remote Procedure Call-based protocol.
According to Bitdefender, the framework ships with 58 commands that support local and network discovery, arbitrary shellcode execution, privilege escalation, lateral movement, data exfiltration and payload injection. An auxiliary implant named EggStremeWizard is also part of the package.
Security researchers note the activity aligns with a broader pattern of Chinese state-sponsored hacking in the Asia-Pacific region, a trend shaped by ongoing geopolitical tensions in the South China Sea. CFR provides context on the disputed waters and regional security concerns.
Bitdefender described EggStreme as a multi-component threat designed for persistent access and evasion, highlighting its memory-resident operation, DLL side-loading techniques and multi-stage execution flow. The firm added that the threat demonstrates an advanced capability to sustain footholds even as some infrastructure goes offline.