Threat Research

Eggstreme Fileless Malware Cyberattack in APAC

BitDefender
Eggstreme Fileless Malware Cyberattack in APAC

A Chinese APT compromised a Philippine military company using a new fileless malware framework called EggStreme that injects payloads into memory and abuses DLL sideloading for persistent espionage. The core EggStremeAgent backdoor (with an injected EggStremeKeylogger) supports 58 commands for reconnaissance, lateral movement, and data exfiltration. #EggStreme #EggStremeAgent

Keypoints

  • The attack targeted a Philippine military company and is attributed to a Chinese APT based on TTPs and strategic context.
  • EggStreme is a multi-stage, mostly fileless framework: EggStremeFuel → EggStremeLoader → EggStremeReflectiveLoader → EggStremeAgent.
  • Attackers achieve persistence by abusing disabled/manual Windows services via replacing binaries or changing ServiceDLL registry values and granting SeDebugPrivilege.
  • EggStremeAgent is a feature-rich in-memory backdoor using gRPC with mutual TLS, offering 58 commands for fingerprinting, file ops, process injection, lateral movement, and exfiltration.
  • Surveillance is enabled by EggStremeKeylogger, injected into explorer.exe to capture keystrokes, clipboard, screenshots, and network fingerprints; logs are RC4-encrypted on disk.
  • Auxiliary components include EggStremeWizard (DLL sideloaded via xwizard.exe) and Stowaway (Go-based proxy) to maintain redundancy and enable internal pivoting.
  • Infrastructure used shared CA certificates and multiple C2 domains/IPs (e.g., whosecity[.]org, webpirat[.]net, 154.90.35.190), indicating coordinated, refreshable C2 infrastructure.

MITRE Techniques

  • [T1036 ] Masquerading – Attackers placed legitimate binaries (WinMail.exe, xwizard.exe) alongside malicious DLLs (mscorsvc.dll, xwizards.dll) to sideload malicious code (“…a legitimate Windows binary named WinMail.exe and a malicious DLL named mscorsvc.dll…”).
  • [T1218 ] Signed Binary Proxy Execution – Use of legitimate binaries (WinMail.exe, xwizard.exe, msdt.exe) to load malicious DLLs and execute payloads under trusted executables (“…when the legitimate WinMail.exe is executed, it loads the malicious mscorsvc.dll…”).
  • [T1055 ] Process Injection – EggStreme components inject payloads into trusted processes (winlogon.exe, explorer.exe, MsMpEng.exe) to execute in memory (“…injects the EggStremeReflectiveLoader into winlogon.exe…” and “…inject the EggStremeAgent payload into this new, suspended process…”).
  • [T1105 ] Ingress Tool Transfer – Multiple stages read encrypted payloads from on-disk containers like ielowutil.exe.mui and splwow64.exe.mui and decrypt in-memory (“…reads a file at %WINDIR%en-usielowutil.exe.mui that contains both the encrypted EggStremeReflectiveLoader and the EggStremeAgent payload.”).
  • [T1027 ] Obfuscated Files or Information – Use of RC4 and XOR encryption for strings and payloads and encrypted on-disk configuration (“…strings … were XORed with the key 0xDD…; Each of these three parts is individually encrypted with RC4.”).
  • [T1053 ] Scheduled Task/Service Persistence – Abusing Windows services for persistence by replacing service binaries or changing ServiceDLL registry values and setting AUTO_START (“…modified the ServiceDLL registry value located at HKLMSYSTEMCurrentControlSetServicesParameters to load a malicious DLL…”).
  • [T1574 ] Hijack Execution Flow – Reflective loader technique to load DLLs from memory and bypass standard loader (“…reflective loader…loads a DLL into a running process directly from memory rather than from a file on disk.”).
  • [T1071 ] Application Layer Protocol – C2 uses gRPC over TLS for command and control communications (“…the final implant…communicates with the C2 server using the gRPC protocol…”).
  • [T1041 ] Exfiltration Over C2 Channel – Commands include compressing and sending files using GZIP/Zlib and uploading to C2 (“…Exfiltration: Compresses a file or all files in a directory into a GZIP archive using Zlib 1.2.13”).
  • [T1113 ] Screen Capture – Agent supports screenshots that are saved and sent to C2 (“…Screenshot: Takes a screenshot of the entire screen, saves it as a bitmap, and sends it buffered to the C2 server”).
  • [T1050 ] New Service – Ability to create remote services for persistence on remote hosts (“…Create Remote Service: Creates and configures a new service on a remote system for persistence…”).
  • [T1049 ] System Network Connections Discovery – Agent lists TCP connections, ARP entries, and network properties (“…List Connections: Lists all TCP connections…”; “ARP Entries: Enumerates the Address Resolution Protocol entries”).

Indicators of Compromise

  • [Domain ] C2 domains observed – whosecity[.]org, webpirat[.]net (used as C2 domains tied to EggStreme infrastructure)
  • [Domain ] Additional C2 domains – ronaldmooremd[.]net, kazinovavada[.]com (other C2 domains listed)
  • [IP ] C2 IP addresses – 154.90.35.190 (observed C2 using certificate for fsstore[.]org), 45.115.224.163 (newer certificate observed)
  • [File Path ] Sideloaded binaries and payload containers – %APPDATA%MicrosoftWindowsWindows MailWinMail.exe with mscorsvc.dll, C:Windowsen-USielowutil.exe.mui (contains encrypted payloads)
  • [File Path ] Keylogger and auxiliary DLL locations – C:Windowsen-USsplwow64.exe.mui (EggStremeKeylogger), %LOCALAPPDATA%MicrosoftWindowsAppsxwizard.exe with xwizards.dll (EggStremeWizard)
  • [Registry/Service ] Service modifications – ServiceDLL registry changes at HKLMSYSTEMCurrentControlSetServicesParameters (example: iscsiexe.dll → msiscsi.dll for MSiSCSI)
  • [Certificate ] CA Subject Key Identifier – 51655e8e97fc7265b1aaa4265d94e2f7cae9c913 (unique CA used to issue C2 certificates)
  • [File Hashes ] Encrypted payload container and other artifacts – ielowutil.exe.mui (contains multiple encrypted payloads), and other hashes available on GitHub (and 2 more hashes)

Read more: https://www.bitdefender.com/en-us/blog/businessinsights/eggstreme-fileless-malware-cyberattack-apac