Follow on X RSS Feed
Malware, EggStreme, Fileless Malware, DLL Sideloading, Espionage, APT

Fileless EggStreme Malware Campaign Attributed to Chinese APT Against Military Organisations

Cybersec Sentinel

4 min read
Fileless EggStreme Malware Campaign Attributed to Chinese APT Against Military Organisations

Threat Group – China-based APT actors
Threat Type – Fileless malware and espionage backdoor
Exploited Vulnerabilities – DLL sideloading, fileless memory injection (no CVEs assigned)
Malware Used – EggStremeFuel, EggStremeLoader, EggStremeReflectiveLoader, EggStremeAgent, EggStremeKeylogger, EggStremeWizard
Threat Score – 8.0 🔴 High
Last Threat Observation – 11 September 2025

Overview

A newly discovered espionage framework named EggStreme has been attributed to Chinese state-linked APT actors and deployed against the Philippine military. The malware demonstrates advanced stealth capabilities through fileless execution, DLL sideloading, and modular components, enabling persistent access, intelligence gathering, and system compromise. EggStreme appears designed for long-term surveillance and exfiltration of sensitive defence-related data.

Key Details

Delivery Method

The attack begins with EggStremeFuel, a malicious mscorsvc.dll sideloaded by legitimate binaries. This module profiles the system and activates EggStremeLoader, which in turn launches EggStremeReflectiveLoader. The chain culminates in EggStremeAgent, the main backdoor. The framework avoids disk-based artefacts by executing almost entirely in memory.

Target

The primary victim identified so far is a Philippine military organisation, suggesting motivations tied to geopolitical tensions in the South China Sea.

Functions

  • EggStremeFuel: Drive enumeration, system profiling, launching cmd.exe, file transfer, IP identification, config dumping.
  • EggStremeAgent: Core backdoor with 58 commands, session monitoring, shellcode injection, privilege escalation, lateral movement, exfiltration.
  • EggStremeKeylogger: Captures keystrokes for credential theft and activity monitoring.
  • EggStremeWizard: Backup backdoor enabling reverse shell, file upload/download, redundant C2 connections.

Obfuscation

TechniqueDescriptionImpact on Defenders
Fileless ExecutionPayloads run entirely in memory without touching disk.Evades traditional signature-based antivirus scans.
DLL SideloadingMalicious DLLs (mscorsvc.dll) loaded by trusted executables.Blends with legitimate processes and bypasses trust.
Reflective LoadingEggStremeReflectiveLoader injects payloads directly into memory space of running processes.Prevents OS-level loader checks and forensic capture.
Modular Multi-StageStaged components (Fuel → Loader → ReflectiveLoader → Agent) reduce exposure per stage.Harder to link artefacts together for early detection.
Redundant C2 ServersMultiple fallback servers ensure persistent connectivity.Sustains command-and-control even if blocked.

Attack Vectors

EggStreme employs a multi-stage, stealth-focused attack chain that combines sideloading, fileless memory injection, and modular payloads. Its key attack vectors include:

  • DLL Sideloading – EggStreme abuses legitimate executables to load malicious mscorsvc.dll (EggStremeFuel). By masquerading as a trusted system DLL, the malware avoids initial detection and gains execution privileges under the context of the parent process.
  • Fileless Execution in Memory – All major payloads, including EggStremeLoader, ReflectiveLoader, and EggStremeAgent, are executed directly in memory without writing to disk. This technique prevents artefacts from being scanned by traditional antivirus and complicates forensic recovery.
  • Reflective DLL Loading – EggStremeReflectiveLoader injects payloads into the memory space of legitimate processes, bypassing conventional Windows loader security checks and establishing persistence without creating new executables.
  • Command-and-Control (C2) via gRPC Protocol – EggStremeAgent communicates with its operators using the gRPC protocol, an unusual choice compared to traditional HTTP/S channels. This allows the malware to blend into modern enterprise environments where gRPC is increasingly used in cloud-native applications. The use of multiple fallback servers ensures resilience if a C2 endpoint is blocked.
  • Keylogging and Session Hijacking – Through EggStremeKeylogger, the malware captures keystrokes from new user sessions in real time. This allows attackers to harvest credentials, monitor activity, and escalate privileges for lateral movement.
  • Privilege Escalation and Lateral Movement – EggStremeAgent supports 58 commands, including process injection, shellcode execution, and remote service creation, enabling attackers to escalate privileges and move laterally across networks once an initial foothold is established.
  • Data Exfiltration – EggStremeAgent can compress and exfiltrate system files, configurations, and user data to remote servers controlled by the APT. Combined with keylogging and session hijacking, this provides attackers with persistent access to sensitive military intelligence.
  • Backup Backdoor (EggStremeWizard) – To maintain persistence in case the primary C2 channel is disrupted, EggStremeWizard provides an additional vector by enabling reverse shell connections and file transfer capabilities through alternative infrastructure.

Together, these vectors demonstrate a highly modular and resilient intrusion framework. EggStreme’s combination of stealth (fileless techniques, sideloading), persistence (backup backdoors, multiple loaders), and resilience (multi-server C2, reflective injection) makes it particularly dangerous in defence and government environments, where long-term espionage is the adversary’s primary objective.

Known Indicators of Compromise (IoCs)

FileHash MD5

  • 03ab706b45b1190c1f14059a2b443b13
  • 0f37cd2f6b40649b82ba4f1921cd504b
  • 0f45e73eccdb485e662c49fbd4821324
  • 16c95842bedc3c4d1df053ea9ae188d7
  • 2a2900a9792f8020a9deda0d676fe989
  • 3ca1b4542c44834839149e080e5c0498
  • 537299a4e6c0f286c8a33fb444846a85
  • 5e3b763a9ba153edade783e8a0303177
  • 63a4fbb304ce66ba2b8e87fae96ab35a
  • 7392c09e0ac355e15b2d1236e62b6a57
  • 792005181a433afc9f7a8c230dcf4dfa
  • 7de52573ebe4073fa97fc72d9b6a9b7a
  • 7ec144401e983edbb5196699773c3660
  • 8232e0c75f4ddc01cf846646f484ab43
  • 8843ff02ebc51afb3c3873d97c0b9846
  • 95472a444f9b1120b7f31945202010c0
  • 97bef0d9a2ad4249db2214fd43b5353a
  • a39d496e84f74c2ef5437389358f1521
  • a43b957ef22072fc0b213989ab15560d
  • a5fcd07b4cfba212af7e76fe88212ad7
  • a69908de2c1903afb41f0c7fb14162fd
  • aec8a3511907d8a27aa8082869ae80c4
  • b7926de548c9c139dada2cff62cf3711
  • b9bd98484c186f47999bf328bb34794c
  • bae6b54f98bb23ddbb69487f8abfcd8c
  • bf89b83267a9debc7b61ccb04cd329a5
  • c180e98725a466c3208e2c8874abc1ed
  • c1fdabb61c941053c2272c8c147670d1
  • df29898c0742f6b0175e4e34b5f0755d
  • df2e68fe6be163d40a21b4199033b434
  • e3d8fbf45fac3793aac87568a1919cf7
  • e59eaab989c5a8433852e77fb9dd7986
  • eb4948c42f418325c1b8b2b79af7ef08

IPv4

  • 103[.]103[.]0[.]225
  • 103[.]131[.]95[.]114
  • 103[.]169[.]90[.]164
  • 103[.]78[.]242[.]128

SSL Certificate Fingerprints

  • 51:65:5e:8e:97:fc:72:65:b1:aa:a4:26:5d:94:e2:f7:ca:e9:c9:13
  • 64:30:42:df:50:ce:f0:80:e4:48:51:e7:d5:d6:f6:54:f7:72:eb:c5

Domains

  • fetraa[.]com
  • fionamcleod[.]net
  • powerontheroad[.]org
  • safiasol[.]com
  • sealtribute[.]org
  • sinhluc[.]net
  • theuklg[.]com
  • traveldog[.]org

Mitigation and Prevention

User Awareness

  • Train users and IT staff to recognise DLL sideloading and unusual binary behaviour.
  • Raise awareness of fileless malware risks.

Email Filtering

  • Apply strict filtering on attachments and links, particularly DLLs and executable content.
  • Block unknown or unauthorised binaries.

Antivirus Protection

  • Use EDR solutions capable of detecting reflective loading and anomalous memory activity.
  • Deploy behavioural detection rules for DLL hijacking.

Two-Factor Authentication (2FA)

  • Enforce MFA on all remote access services to reduce credential theft impact.

Log Monitoring

  • Monitor process creation logs for unexpected DLL loads.
  • Audit for gRPC traffic to unknown external hosts.
  • Track user session events for anomalies.

Regular Updates

  • Apply least privilege and OS hardening to reduce DLL hijacking opportunities.
  • Keep security products updated with the latest intelligence feeds.

Risk Assessment

EggStreme is a high-threat espionage toolkit with advanced stealth, modularity, and persistence mechanisms. Its fileless nature and DLL sideloading make it particularly difficult to detect using traditional signature-based defences. Targeting of a military organisation underscores its strategic purpose and aligns with known objectives of Chinese APTs. With keylogging, lateral movement, and exfiltration capabilities, EggStreme represents a serious ongoing risk to government and defence organisations across Asia-Pacific.

Conclusion

EggStreme exemplifies the sophistication of state-linked malware operations. Security teams must urgently strengthen memory-based detection, tighten DLL handling, and prepare incident response procedures for advanced fileless attacks. Close collaboration with trusted threat intelligence providers is critical for detecting IoCs as they emerge.

Sources

The Hacker News – Chinese APT Deploys EggStreme Fileless Malware to Breach Philippine Military Systems – https://thehackernews.com/2025/09/chinese-apt-deploys-eggstreme-fileless.html
Zataz – The EggStreme Malware Kit Targets the Military in APAC – https://www.zataz.com/the-eggstreme-malware-kit-targets-the-military-in-apac/
OTH AlienVault – Indicators of Compromise – https://otx.alienvault.com/pulse/68c1d94aeea0cbf6a74fd693