EggStreme: Chinese APT Group’s Advanced Espionage Toolset Against the Philippines

Published Date: September 12, 2025
Category: ShadowOpsIntel
Share:

In September 2025, Bitdefender researchers uncovered EggStreme, a fileless and modular malware framework attributed to a Chinese APT group. The campaign targeted a Philippine military company, aligning with the geopolitical tensions in the South China Sea. Unlike traditional malware, EggStreme executes almost entirely in memory, uses DLL sideloading, and maintains multi-stage persistence, making detection extremely difficult. Its modular design allows long-term espionage, lateral movement, and continuous data theft.

Severity Level: High

Threat Details

  1. Entry Point (Unknown) → SMB Share Compromise
    • The attackers somehow gained access to a remote SMB share. A logon batch script (logon.bat) was placed in \\netlogon.
  2. Execution of logon.bat
    • When triggered, the script deployed two files into %APPDATA%\Microsoft\Windows\Windows Mail\
    • WinMail.exe (legitimate binary) & mscorsvc.dll (malicious DLL → EggStremeFuel)
  3. DLL Sideloading
    • WinMail.exe sideloaded mscorsvc.dll.
    • EggStremeFuel established a reverse shell, fingerprinted the host, and set the stage for persistence.
  4. Persistence via Service Hijacking
    • Attackers abused disabled/rare Windows services (AppMgmt, SWPRV, MSiSCSI).
    • They modified ServiceDLL registry values or swapped binaries, granting SeDebugPrivilege.
    • This allowed the malicious binary EggStremeLoader to be executed as a service.
  5. EggStremeLoader → EggStremeReflectiveLoader
    • EggStremeLoader read the encrypted payloads (ReflectiveLoader + Agent) from
      C:\Windows\en-US\ielowutil.exe.mui.
    • It decrypted ReflectiveLoader and injected it into winlogon.exe.
  6. EggStremeReflectiveLoader → EggStremeAgent
    • Using a stolen token from winlogon.exe, ReflectiveLoader spawned a suspended process (MsMpEng.exe or explorer.exe).
    • It decrypted and injected EggStremeAgent into the new process.
  7. EggStremeAgent (Core Backdoor)
    • Fileless implant with 58 commands over encrypted gRPC (mTLS).
    • Capabilities: reconnaissance, privilege escalation, command execution, lateral movement, exfiltration, keylogger injection.
  8. Secondary Persistence → EggStremeWizard
    • Attackers sideloaded xwizards.dll via a relocated xwizard.exe.
    • This provided backup reverse shell and redundant C2 communication.
  9. Surveillance → EggStremeKeylogger
    • Stored at C:\Windows\en-US\splwow64.exe.mui, decrypted and injected into explorer.exe.
    • Logged keystrokes, clipboard, files, and network configuration.
  10. Network Expansion → Stowaway Proxy
    • Go-based proxy tool dropped as burn.conf.
    • Allowed attackers to pivot internally and bypass segmentation/firewalls.

Recommendations

  1. Ensure all systems are up-to-date with the latest patches and updates to mitigate vulnerabilities that could be exploited by attackers.
  2. Restrict access to high-risk, built-in Windows binaries like wmic.exe, cmd.exe, powershell.exe, and others that attackers often misuse for lateral movement, system manipulation, or malware execution.
  3. Audit and disable unused Windows services.
  4. Monitor for unusual changes to Windows services, particularly those with SeDebugPrivilege, as EggStreme leverages vulnerable services for persistence and execution.
  5. Limit SMB & RPC access between systems, especially for non-essential network segments.
  6. Monitor and alert on event like msdt.exe spawning cmd.exe or xwizard.exe running from an unusual directory.
  7. Set up alerts for unrecognized or abnormal registry modifications, especially in services related to system startup, which could indicate a malware implant modifying system settings for persistence.
  8. Monitor for the execution of WinMail.exe loading mscorsvc.dll, an indicator of DLL sideloading abuse.
  9. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/4c7c5a764ac80ab67f3d9d66f01359ee2e7c78090bcc67c7f2ed1975c1024c5d/iocs

Source:

  • https://www.bitdefender.com/en-us/blog/businessinsights/eggstreme-fileless-malware-cyberattack-apac

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert