{
	"id": "09a3a011-b6e5-42db-9d20-cc91cb7bfd65",
	"created_at": "2026-04-06T00:14:38.967963Z",
	"updated_at": "2026-04-10T03:21:27.65534Z",
	"deleted_at": null,
	"sha1_hash": "b32ae29064afae6f51bf294138a689b0bb866f72",
	"title": "EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 893598,
	"plain_text": "EggStreme Malware: Unpacking a New APT Framework\r\nTargeting a Philippine Military Company\r\nBy Bogdan Zavadovschi\r\nPublished: 2025-09-17 · Archived: 2026-04-05 23:44:35 UTC\r\nI'd like to thank my coauthors, Victor Vrabie, Adrian Schipor, and Martin Zugec, for their invaluable contributions\r\nto this research.\r\nTL;DR A Chinese APT group compromised a Philippine military company using a new, fileless malware\r\nframework called EggStreme. This multi-stage toolset achieves persistent, low-profile espionage by injecting\r\nmalicious code directly into memory and leveraging DLL sideloading to execute payloads. The core component,\r\nEggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and\r\ndata theft via an injected keylogger. \r\nThis report analyzes a sophisticated cyber-attack targeting a military company based in the Philippines, which led\r\nto the discovery of a new and advanced malware toolset. Based on the target's strategic value and the geopolitical\r\ncontext of the South China Sea, the attackers' tactics, techniques, and procedures (TTPs) are consistent with those\r\nof Chinese APT groups. The attackers' primary focus was to achieve persistent access for long-term espionage and\r\nsurveillance, highlighting the work of a highly professional threat actor whose objectives align with known\r\nnational interests. \r\nThe core of our findings centers on the EggStreme framework, a tightly integrated set of malicious components.\r\nUnlike traditional malware, this framework operates with a clear, multi-stage flow designed to establish a resilient\r\nfoothold on compromised systems. The attack begins with EggStremeFuel, which deploys EggStremeLoader to\r\nset up a persistent service. This loader then executes the EggStremeReflectiveLoader, which in turn launches the\r\nmain EggStremeAgent. \r\nThe EggStremeAgent is the central nervous system of the framework. It operates by monitoring new user sessions\r\nand, for every new session detected, it injects the EggStremeKeylogger into the active explorer.exe process to\r\nsilently collect keystrokes and other sensitive data. This agent is a full-featured backdoor with a broad range of\r\ncapabilities. Its 58 commands enable the attackers to perform extensive local and network discovery, enumerate\r\nsystem resources, execute arbitrary shellcode, lateral movement, or inject other payloads, most notably the\r\nEggStremeWizard backdoor. The attackers use this to launch a legitimate binary that sideloads the malicious DLL,\r\na technique they consistently abuse throughout the attack chain. \r\nWhat makes this framework difficult to detect is its fileless nature. While encrypted malware components are\r\npresent on the disk, the decrypted malicious code is executed and resides solely in memory, never touching the file\r\nsystem. This, coupled with the heavy use of DLL sideloading and the sophisticated, multi-stage execution flow,\r\nallows the framework to operate with a low profile, making it a significant and persistent threat. \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 1 of 20\n\nWatch our LinkedIn Live discussion, Ctrl-Alt-DECODE, where we detailed our research on the EggStreme\r\nframework and answered live questions from around the world.\r\nTechnical Analysis Overview \r\nThe first sign of malicious activity that triggered our investigation in early 2024 was the execution of a logon\r\nbatch script from an SMB share, located at \\\\\u003cremote samba share\u003e\\netlogon\\logon.bat. The exact method by\r\nwhich the script was placed on the SMB share is unknown and remains a key area of investigation. \r\nThe script's primary function was to deploy two files to the %APPDATA%\\Microsoft\\Windows\\Windows Mail\\\r\ndirectory: a legitimate Windows binary named WinMail.exe and a malicious DLL named mscorsvc.dll. This is a\r\nclassic example of DLL sideloading (read our explainer), a technique where an attacker places a malicious DLL in\r\na location where a legitimate program will search for it. When the legitimate WinMail.exe is executed, it loads the\r\nmalicious mscorsvc.dll instead of the system’s original version. This allows the attacker to execute their malicious\r\ncode under the guise of a trusted program, bypassing many security controls. \r\nThe malicious mscorsvc.dll is the first stage of the attack chain, referred to as EggStremeFuel. This component\r\nserves as a loader and is responsible for setting up the environment for the final payload. EggStremeFuel includes\r\ncapabilities for system fingerprinting, which allows the attacker to gather information about the compromised\r\nmachine. Its most critical function is to establish a reverse shell, which it does by invoking cmd.exe and creating a\r\ncommunication channel with the command-and-control (C2) server using read-write pipes. This provides the\r\nattacker with a remote command-line interface on the compromised system. \r\nTo maintain a persistent presence, the attacker abused several disabled Windows services. This was accomplished\r\nby either altering the service's associated registry key to point to a malicious executable or by directly replacing\r\nthe legitimate service binary with their own. In both scenarios, the attacker configured the service to run with\r\nSeDebugPrivilege, a highly elevated right that allows a process to debug and access the memory of other\r\nprocesses on the system. \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 2 of 20\n\nThe malicious binary executed by these services is named EggStremeLoader. This component is responsible for\r\nreading a file at %WINDIR%\\en-us\\ielowutil.exe.mui that contains both the encrypted\r\nEggStremeReflectiveLoader and the EggStremeAgent payload. After decrypting the reflective loader, it injects it\r\ninto a trusted process like winlogon.exe. \r\nThe EggStremeReflectiveLoader uses a token from its host process (winlogon.exe) to spawn a new, suspended\r\nprocess—either MsMpEng.exe or explorer.exe—using CreateProcessWithToken(). It then decrypts and injects the\r\nfinal payload, the EggStremeAgent, into this new process. \r\nThis final implant, named EggStremeAgent, is a sophisticated backdoor that communicates with the C2 server\r\nusing the gRPC protocol. gRPC is a modern, high-performance, open-source framework for building remote\r\nprocedure calls (RPCs). \r\nEggStremeAgent is feature-rich, supporting a total of 58 distinct commands. These commands enable a wide\r\nrange of capabilities, including: \r\nSystem Fingerprinting: Gathering detailed host information.\r\nResource Enumeration: Scanning local and remote network resources.\r\nPrivilege Escalation: Gaining higher-level permissions.\r\nCommand Execution: Running arbitrary commands on the system.\r\nData Exfiltration: Stealing sensitive data.\r\nFile and Directory Manipulation: Creating, deleting, and modifying files.\r\nProcess Injection: Injecting code into other running processes. \r\nOn several machines, a secondary, more lightweight backdoor was observed. The attacker used the legitimate\r\nxwizard.exe to sideload a malicious DLL named xwizards.dll, which has been named EggStremeWizard. This\r\nsecondary backdoor provides reverse shell access and file upload/download capabilities. Its design also\r\nincorporates a list of multiple C2 servers, enhancing its resilience and ensuring that communication with the\r\nattacker can be maintained even if one C2 server is taken offline. \r\nPersistence \r\nAfter gaining access to the infrastructure through their initially deployed backdoor, EggStremeFuel, the attackers\r\nshifted their focus to establishing a stealthy form of persistence. To avoid detection, they leveraged legitimate\r\nWindows services that are not enabled by default—those configured with a startup type of Manual or Disabled.\r\nThis allowed them to blend into normal system operations while maintaining access. Across multiple\r\ncompromised machines, the following services were observed being abused: \r\nName  Description \r\nMSiSCSI \r\nManages iSCSI sessions, enabling the computer to connect to and access remote iSCSI target\r\ndevices\r\nAppMgmt  Handles the installation, removal, and enumeration of software deployed via Group Policy\r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 3 of 20\n\nSWPRV  Manages software-based volume shadow copies created by the Volume Shadow Copy service\r\nThe persistence setup varied across machines, but two main approaches were identified. In the first, upon gaining\r\naccess to a new machine, the attackers deployed the initial backdoor, EggStremeFuel, and used its reverse shell\r\ncapabilities to manually execute the required commands. In other cases, tools resembling Impacket were observed\r\nbeing used to run commands manually. \r\nWhen persistence was set up manually, the attackers altered file permissions, granted SeDebugPrivilege to the\r\ntargeted service, and then started that service. A conceptual sequence of these commands is provided below: \r\ntakeown -f c:\\\\windows\\\\system32\\\\appmgmts.dll\r\nicacls.exe c:\\\\windows\\\\system32\\\\appmgmts.dll /grant administrators:f\r\nsc privs appmgmt SeDebugPrivilege\r\nren appmgmts.dll appmgmt.dll\r\nren svchost.dat appmgmts.dll\r\nnetsh advfirewall firewall add rule name=\"Windows Update\" dir=in action=allow\r\nprogram=\"C:\\\\Windows\\\\explorer.exe\" enable=yes\r\nsc start appmgmt\r\nIn this sequence, a temporary malicious file named svchost.dat (which contains the malicious code) is renamed to\r\na legitimate-looking filename, appmgmts.dll, to evade detection. \r\nIn other cases, instead of simply replacing the existing DLL file, the attackers modified the ServiceDLL registry\r\nvalue located at HKLM\\SYSTEM\\CurrentControlSet\\Services\\\u003cserviceName\u003e\\Parameters to load a malicious\r\nDLL in place of the legitimate one. For example, with the MSiSCSI service, the path was changed from\r\n%systemroot%\\system32\\iscsiexe.dll to %systemroot%\\system32\\msiscsi.dll. An even subtler case was observed\r\nwith the AppMgmt service, where the execution DLL was altered from appmgmts.dll (legitimate) to appmgmt.dll\r\n(malicious) - a change that is nearly indistinguishable at first glance. \r\nInfrastructure\r\nEvery analyzed configuration file for the EggStremeAgent consistently used the same certificate authority (CA).\r\nThis CA, identified by its unique Subject Key Identifier 51655e8e97fc7265b1aaa4265d94e2f7cae9c913, acted as\r\nthe trusted root for the attackers’ entire infrastructure. It issued certificates to all the C2 servers, enabling secure,\r\nmutual TLS communications. The details for this CA are as follows: \r\nSerial Number: 2019 (0x7e3) \r\nSignature Algorithm: sha256WithRSAEncryption \r\nIssuer: C=, ST=, L=, street=, postalCode=, O=, OU= \r\nValidity \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 4 of 20\n\nNot Before: Nov  6 05:32:22 2019 GMT \r\nNot After : Jul 11 10:45:22 7498 GMT \r\nSubject: C=, ST=, L=, street=, postalCode=, O=, OU= \r\nSubject Public Key Info: \r\nPublic Key Algorithm: rsaEncryption \r\nPublic-Key: (2048 bit) \r\nExponent: 65537 (0x10001) \r\nX509v3 extensions: \r\nX509v3 Key Usage: critical \r\nDigital Signature, Key Encipherment, Certificate Sign \r\nX509v3 Extended Key Usage: \r\nTLS Web Client Authentication, TLS Web Server Authentication \r\nX509v3 Basic Constraints: critical \r\nCA:TRUE \r\nX509v3 Subject Key Identifier: \r\n51:65:5E:8E:97:FC:72:65:B1:AA:A4:26:5D:94:E2:F7:CA:E9:C9:13 Signature Algorithm:\r\nsha256WithRSAEncryption\r\nBy using the unique identifier from the certificate authority as a starting point, we were able to find other C2\r\nservers that were also linked to it, ultimately revealing more of the attackers' network. \r\nC2 Servers:\r\nwhosecity[.]org\r\nwebpirat[.]net\r\nronaldmooremd[.]net\r\nkazinovavada[.]com \r\nOur investigation discovered a C2 server at IP 154.90.35.190, which used a certificate for the domain\r\nfsstore[.]org. We then found a newer certificate for that same domain on a different IP, 45.115.224.163. The\r\nunique Authority Key Identifier (643042DF50CEF080E44851E7D5D6F654F772EBC5) on this new certificate\r\nsuggests the attackers are actively refreshing their infrastructure. This identifier can be used to uncover other C2\r\nIP addresses tied to the campaign, giving us a clearer view of their updated network.\r\nMalware Analysis\r\nThe campaign's success is a direct result of a highly coordinated malware toolkit, not a collection of isolated\r\nimplants. Each component serves a distinct purpose in the attack chain, from initial execution and persistence to\r\nin-memory payload delivery and final remote command and control. A deeper analysis reveals strong ties among\r\nthe components, suggesting a single, unified development effort. This is evident in the consistent use of shared\r\ntechniques like DLL sideloading, RC4 and XOR encryption, or fileless execution. \r\nFor example, a single file, ielowutil.exe.mui, was found to contain multiple encrypted payloads, including the\r\nreflective loader and the core backdoor itself, which are then injected directly into a trusted process to operate\r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 5 of 20\n\nentirely in memory. This section provides a detailed breakdown of each component, analyzing their functionality,\ncommunication methods, and role within the overall toolkit.\nEggStremeFuel (The Stage 1 Loader)\nThis malicious DLL is designed to actively communicate with the C2 server. Telemetry shows that it's an initial\npayload, and it gets executed by being sideloaded by the legitimate binary\n%APPDATA%\\\\Microsoft\\\\Windows\\\\Windows Mail\\\\WinMail.exe. Once it's running, it spawns a reverse shell\nthat gives the attackers the ability to run commands remotely.\nWhen the DLL is loaded, a configuration structure is initialized in the memory with hardcoded values, including\ntwo C2 servers (a domain and an IP address), a main port (443), and a backup port (5228). A function then checks\nfor an on-disk configuration file at %APPDATA%\\\\Microsoft\\\\Windows\\\\Cookies\\\\Cookies.dat. If found, it is\ndecrypted with the RC4 key Cookies and the in-memory configuration is updated. If the file doesn't exist, the\nmalware will create it, including the necessary directory structure.\nOnce the configuration is updated, the backdoor attempts to connect to a C2 server, starting with the domain. The\nclient begins a handshake by sending a 32-byte message containing a 16-byte RC4 key and the first 16 bytes of\nthat key's MD5 hash. Upon receiving a 32-byte response from the server, the client verifies that the last 16 bytes\nof the response match the hash it sent, confirming the handshake's integrity. If successful, it proceeds to\nfingerprint the machine by sending an encrypted JSON object with details such as hostname, IP addresses, OS,\nand MAC addresses:\n{\n\"hostname\": \"\\\\\",\n\"lip\": \"\",\n \"wip\": \"\",\n \"os\": \"\",\n\"mac\": \"\",\n\"time\": \"\"\n }\nThe JSON object is first serialized into a string, which is then encrypted using RC4. This encrypted data is then\nprefixed with the command ID, which is also encrypted with RC4, before being sent to the C2 server.\nAfter fingerprinting, the client waits for commands from the server.\nCommand\nID\nDescription\n2|3\nGet drive information, along with files and directories from a specified path and their\nmetadata (FileTime, size, Name)\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\nPage 6 of 20\n\n4\r\nStart cmd.exe and establish communication via pipes, redirecting C2 input to the shell and\r\nsending the output back \r\n5 Gracefully close all connections and shutdown\r\n6 Read a file from the C2 server and save it to disk \r\n7 Read a local file from a given path and send its content \r\n9 Send the external IP address by making a request to myexternalip[.]com/raw\r\n11 Terminate the socket connection \r\n12 Send the current client configuration \r\n13 Update the in-memory configuration and write it to disk \r\n14 Dump the in-memory configuration to disk\r\nEggStremeLoader and EggStremeReflectiveLoader (Delivery Mechanism) \r\nThis chapter details the primary mechanism used to deliver the main payload, EggStremeAgent, and consists of\r\ntwo separate but interconnected components.\r\nEggStremeLoader binary is an advanced loader that is registered as a Windows service. Upon execution, the\r\nbinary loads nine functions related to Windows service manipulation from advapi32.dll. The names of these\r\nfunctions are hardcoded within the binary and are decrypted at runtime using a hardcoded XOR key (0xFE). The\r\nbinary dynamically resolves these functions using LoadLibrary() and GetProcAddress(). \r\nA clear distinction was found in the malware's hardcoded strings. Those related to file paths, service names, and\r\ndecryption keys were XORed with the key 0xDD, while strings for function names were XORed with 0xFE. \r\nThe binary then reads a file at C:\\Windows\\en-US\\ielowutil.exe.mui, which is composed of three parts:\r\n1. A 4-byte length indicator for the EggStremeReflectiveLoader in big endian\r\n2. The EggStremeReflectiveLoader payload\r\n3. The EggStremeAgent payload\r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 7 of 20\n\nEach of these three parts is individually encrypted with RC4. During the attack, several encryption keys were\r\nobserved: google, Google, Microsoft, and microsoft. The EggStremeLoader component is responsible for\r\ndecrypting only the first two parts. It then attempts to inject the extracted EggStremeReflectiveLoader into\r\nwinlogon.exe by creating a separate page using VirtualProtect() with PAGE_EXECUTE_READWRITE (execute)\r\npermissions and adjusting its own privileges to SeDebugPrivilege. This entire process runs in a loop every 10\r\nminutes. \r\nThe EggStremeReflectiveLoader serves as an intermediary stage for the final payload. It has an export name of\r\nreflective.dll, strongly suggesting it is a reflective loader. A reflective loader is a piece of code that loads a DLL\r\ninto a running process directly from memory rather than from a file on disk. While a standard Windows loader\r\nneeds a file path to load a DLL, a reflective loader can work with the DLL's raw byte data. This method is a way\r\nto avoid detection, as it bypasses file-based security checks and leaves fewer traces on the system. \r\nThe loader opens C:\\Windows\\en-US\\ielowutil.exe.mui, reads the last part (EggStremeAgent) from the file, and\r\ndecrypts it using RC4. It then checks for the presence of C:\\\\ProgramData\\\\Microsoft\\\\Windows\r\nDefender\\\\Platform\\\\\u003c\u003e\\\\\u003c\u003e\\\\MsMpEng.exe (the Windows Defender service). If the file is not found, it targets\r\nexplorer.exe for injection instead. The loader duplicates the token from the winlogon.exe process, grants itself\r\nSeDebugPrivilege, and uses CreateProcessWithToken() to spawn a new process (MsMpEng.exe or explorer.exe).\r\nIt then injects the EggStremeAgent payload into this new, suspended process using VirtualAllocEx(),\r\nWriteProcessMemory(), and ResumeThread(). \r\nEggStremeAgent (Core Backdoor) \r\nThe EggStremeAgent is the final and most sophisticated implant responsible for establishing C2 with the attacker.\r\nIt is a fileless payload, doesn’t touch the disk in a decrypted form, and is injected into memory by\r\nEggStremeReflectiveLoader using RC4 encryption with google as the key. \r\nBefore any malicious activity begins, the implant starts a new thread to monitor for the WTS_EVENT_LOGON\r\nevent, which signals a user has logged in. The malware then waits to see if a child process explorer.exe has been\r\nspawned under the user's account. Once confirmed, the malware decrypts the EggStremeKeylogger (described\r\nlater) at C:\\Windows\\en-US\\splwow64.exe.mui using the RC4 key Microsoft and injects it into the user's\r\nexplorer.exe process. \r\nOn its main thread, the backdoor decrypts its hardcoded configuration using an XOR key (0xFE). This\r\nconfiguration includes a file path to on-disk configuration (%LOCALAPPDATA%\\Microsoft\\Vault\\Vault.dat), the\r\ninitial C2 server (sealtribute[.]org), its port (443), and a certificate with a private key. If the on-disk file exists, it's\r\ndecrypted with RC4 using its file path as the key, and its values override the default ones. If not, a unique ID is\r\ncalculated based on the computer name and a new encrypted configuration file is created. \r\nThe configuration file contains the following encrypted fields: \r\nid - A unique ID derived from the computer name\r\nsl (sleep) - The interval in seconds that the agent waits between C2 checks\r\nrm (remote machine) – The IP address or domain of the C2 server \r\nrp (remote port) – The port number for C2 communication \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 8 of 20\n\ncacrt (CA certificate) – The public key certificate of the trusted root authority\r\nimcrt (implant certificate) - The certificate for the implant itself, used in mutual TLS authentication\r\nimkey (implant key) – The private key for the implant certificate \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 9 of 20\n\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 10 of 20\n\nAn example of the configuration file\r\nUsing the gRPC C++ library, the malware establishes a secure channel via mutual TLS (mTLS) to communicate\r\nwith its C2 server. gRPC (Google Remote Procedure Call) is an open-source framework for high-performance\r\ncommunication between services. In this malware's implementation, a total of 58 commands are available,\r\nidentified by numerical IDs, ranging from 0 to 66, with a few numbers missing. \r\nCommand\r\nID \r\nDescription \r\n0\r\nFingerprinting: Extracts system details including hostname, username, OS type (via\r\nWMIC), MAC address, internal and external IP addresses, sleep time, and a list of installed\r\nantivirus products (via WMIC)\r\n17\r\nDump Config: Encrypts the current in-memory configuration using RC4 with the file path as\r\nthe key and saves it to disk. It also triggers a mini-fingerprint (Command 38) \r\n18\r\nSend C2 Info: Sends the remote machine and port (rm \u0026 rp) fields from the config to the C2\r\nserver in the format \u003crm\u003e:\u003crp\u003e\r\n37\r\nUpdate Config: Receives a new remote machine and port from the C2, updates the in-memory configuration, and dumps it to disk\r\n38\r\nBasic Fingerprinting: Updates the in-memory sleep time and sends a smaller fingerprint\r\ncontaining the agent ID, hostname, LAN IP, and sleep time to the C2 \r\nFile and Directory Operations \r\nCommand\r\nID \r\nDescription \r\n7\r\nEnumerate Files: Sends the name, size, type (file/directory), and last write time of all files\r\nand directories within a given path\r\n8\r\nChange Directory: Changes the current working directory, with support for environment\r\nvariables \r\n9 Get Current Directory: Returns the current working directory\r\n10 Copy File: Copies a file \r\n11 Delete File: Deletes a file \r\n12 Create Directory: Creates a directory \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 11 of 20\n\n13 Delete Directory: Deletes a directory \r\n14\r\nScreenshot: Takes a screenshot of the entire screen, saves it as a bitmap, and sends it\r\nbuffered to the C2 server\r\n26-28\r\nWrite to File: A three-part command to write data to a file. Command 26 opens a file handle,\r\n27 writes chunks of binary data, and 28 closes the handle\r\n29-30\r\nRead from File: A two-part command to read a file. Command 29 opens a handle, calculates\r\nand reports the file size. Command 30 uploads the file in 0xA000-byte chunks\r\n57 Move File: Moves a file or directory from one location to another\r\n59\r\nRead Small File: Reads a binary file and sends it to the server if its size is less than 0x5000\r\nbytes. Otherwise, it reports an error “file over size” or “file is empty” \r\n62\r\nTimestomping: Copies basic file metadata (e.g., creation, modification, and access times)\r\nfrom one file to another to evade detection\r\nLocal Resource Enumeration \r\nCommand\r\nID\r\nDescription \r\n15\r\nList Startup Commands: Uses a WMIC query SELECT * FROM Win32_StartupCommand\r\nto list and send details on all startup commands\r\n16\r\nList Services: Uses a WMIC query SELECT * FROM Win32_Service to list and send details\r\non all services, including name, caption, path, and PID if started \r\n19\r\nList Processes: Lists all running processes, sending back the PID, parent PID, executable\r\npath, username, and architecture \r\n21 Kill Process: Kills a specified process by its PID \r\n22\r\nList Connections: Lists all TCP connections, including source and destination IPs, state, and\r\nthe process path that initiated the connection\r\n23\r\nNetwork Properties: Lists network properties in a format similar to ipconfig /all using\r\nWinAPI functions \r\n24 ARP Entries: Enumerates the Address Resolution Protocol entries\r\n25 List Drivers: Lists all drivers, including their name, available and total space \r\n41\r\nEnumerate SQLite Temporary Files: Loops over all file objects with a Cookies-journal\r\nsuffix and sends the file path and the process image of any processes that have a handle\r\nopened to them  \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 12 of 20\n\n47 Get Uptime: Retrieves the current system uptime\r\n51\r\nList Registry Keys: Enumerates all subkeys and values from a registry path received from\r\nthe C2 server and sends back the collected data, including name, value, and data type\r\n52\r\nSet Registry Value: Calls RegSetValueExW() to update or create a specified value in the\r\nregistry\r\n53 Delete Registry Value: Deletes a specified registry value from a given subkey \r\n58\r\nUser Sessions: Retrieves all user sessions from the machine using\r\nWTSEnumerateSessionsA()\r\nNetwork and Lateral Movement Capabilities\r\nCommand\r\nID \r\nDescription \r\n40\r\nRPC Scan: Connects to a given IP on port 135 (RPC) and sends an RPC bind request with\r\nNTLMSSP authentication. The response can reveal the target system's Windows version and\r\nhostname\r\n42\r\nRemote Process: Remotely connects to a server and creates a new process using WMIC\r\nWin32_Process Create() method\r\n43\r\nIPC$ Reauthentication: Uses a given IP and credentials to reauthenticate to a remote\r\nmachine's IPC$ share \r\n44\r\nEnumerate Network Resources: Enumerates all network resources on the current machine to\r\ndiscover accessible shares or connected devices \r\n45 Close IPC$: Closes an IPC$ share connection \r\n49\r\nEnumerate Services: Enumerates all services that are in the\r\nSERVICES_ACTIVE_DATABASE on the local or a remote machine \r\n50\r\nCheck/Start Service: Checks the status of a service on a local or remote machine and attempts\r\nto start it if it is stopped\r\n54 Set Service Type: Sets the start type for a service on a local or remote machine. \r\n55 Ping: Sends ICMP Echo Requests to a single IP or a range of IPs to check connectivity \r\n56 Port Scan: Checks if a port is open on a given IP or a range of IPs \r\n60\r\nTask Scheduler: Uses COM objects to interact with the Task Scheduler on local or remote\r\nmachines. Subcommands support listing (0), deleting (1), creating (2), and executing (3)\r\nscheduled tasks \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 13 of 20\n\n63\r\nCreate Remote Service: Creates and configures a new service on a remote system for\r\npersistence by establishing the registry key\r\nSYSTEM\\\\CurrentControlSet\\\\Services\\\\%s\\\\Parameters and assigning the ServiceDll value to\r\na specified DLL path. Additionally, a new service group for svchost.exe is registered by\r\nappending the suffix svc to the service name. The service is then registered using\r\nOpenSCManagerA() to execute %SystemRoot%\\\\system32\\\\svchost.exe -k \"\u003cname\u003esvc\" with\r\nAUTO_START flag \r\nAdvanced Execution and Privilege Escalation \r\nCommand\r\nID \r\nDescription \r\n20\r\nLaunch Process: Receives a PID and application path. If the PID is 0, it launches the app with\r\nCreateProcess(). If a PID is given, it impersonates the process token to launch the app with\r\nCreateProcessWithToken() \r\n32\r\nRetrieve and Execute Shellcode: Expects a URL from the C2, retrieves a shellcode via HTTP\r\nGET, and executes it on a new thread\r\n33-35\r\nInteractive Shell: Implements an interactive shell using cmd.exe with anonymous pipes.\r\nCommand 33 handles the initialization and process spawning, launching the shell either via\r\nCreateProcess() or CreateProcessWithToken() (the token obtained through DuplicateHandle()\r\nfrom a process specified by the C2 server). It also attempts to enable SeDebugPrivilege for\r\nelevated interaction with other processes and spawns a separate thread to send all data from the\r\nshell’s output pipe back to the C2 server. Command 34 sends input, and Command 35\r\nterminates the shell\r\n46\r\nTerminate Process: Gracefully closes pipes and terminates a process initiated by the\r\ninteractive shell command\r\n65\r\nLSASS Injection: A complex command likely used to inject code into the LSASS process. It\r\nhas three subcommands: 0 to check if a process is active; 1 to create pipes, adjust privileges,\r\nlocate LSASS, duplicate handles, and inject a PE payload into a suspended svchost.exe\r\ninstance, and then resume its execution; and 2 to forward data to the svchost.exe process via\r\npipes \r\n64 \u0026 67\r\nProxy: Two very similar commands that function as proxy mechanisms. Subcommand 0\r\ninitiates a TCP connection and spawns a thread to forward data. Subcommand 1 forwards data\r\nfrom the C2 to the target\r\n48 Exfiltration: Compresses a file or all files in a directory into a GZIP archive using Zlib 1.2.13\r\n66 File Ownership: Alters file ownership on the target system to BUILTIN\\Administrators using\r\nWindows API functions SetEntriesInAclA() and SetNamedSecurityInfoA() to bypass access\r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 14 of 20\n\nrestrictions and interfere with detection\r\nEggStremeWizard (Auxiliary Backdoor) \r\nFollowing the successful execution of EggStremeAgent, the primary command and control implant, the attacker\r\ndeployed EggStremeWizard on several machines. This component is a secondary lightweight backdoor; its\r\nprimary role is to ensure redundancy in the event the main agent is detected and removed. \r\nThe forensic evidence indicates that a copy of the legitimate xwizard.exe was present in a user-writable directory\r\n(%LOCALAPPDATA%\\Microsoft\\WindowsApps\\), a different location than its typical home in %SYSTEM32%.\r\nThe malicious xwizards.dll was also placed in this same directory. The EggStremeReflectiveLoader, residing in\r\nmemory within winlogon.exe, initiated the execution of the EggStremeAgent within the msdt.exe binary. The\r\nEggStremeAgent then spawned cmd.exe, which in turn launched the relocated xwizard.exe. This last process was\r\nused to sideload the malicious library from the same location. \r\nWhen loaded, this binary first attempts to read a file located at C:\\Users\\Public\\Downloads\\ntuser.dat, which\r\ncontains a sleep interval value in minutes. It then tries to read a second file,\r\nC:\\Users\\Public\\Downloads\\ntusers.dat, which is encrypted using AES in ECB mode with the key\r\n+JBHXU4X*%^Y\u0026(DP and has a maximum size of 0x114 bytes. Note the subtle difference in the filenames\r\n(ntuser.dat vs ntusers.dat). The second file is expected to contain a space-separated list of IP addresses and ports.\r\nIf it is not found, the backdoor defaults to initiating a connection to sinhluc[.]net. \r\nOnce the initial setup is complete, the sample initiates communication with the C2 server by sending the plaintext\r\nvalue 0x3E8FB806. It then captures the output of the hostname command, encrypts it with AES in ECB mode,\r\nand transmits it. After this handshake, the backdoor begins a handling routine to receive further instructions, with\r\nall subsequent communication being encrypted using AES. \r\nCommand\r\nID\r\nDescriptions\r\nFirst byte is\r\n1\r\nThis command has two subcommands and a default action \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 15 of 20\n\nsleep Changes the sleep interval value in the ntuser.dat file\r\nserver\r\nUpdates the internal list of C2 servers and sends a confirmation message to the active C2: \r\n\"Tunnel Change Success:\\r\\nServer : %s:%s\\r\\n\" \r\nThe Server field is not limited to a single entry \r\nDefault\r\nIf no subcommands match, the input is treated as a Windows command, executed via\r\ncmd.exe /c, and the output is returned to the C2\r\nFirst byte is\r\n2\r\nInterprets the command as an instruction to download, decrypt, and save a binary file to disk \r\nFirst byte is\r\n5\r\nReads a local file from disk, encrypts it, and uploads its contents to the C2 server\r\nFirst byte is\r\n8\r\nReinitializes the entire list of C2 servers\r\nEggStremeKeylogger (Surveillance Module) \r\nAs described in the previous EggStremeAgent section, EggStremeKeylogger component is a malicious library that\r\nresides at a familiar location on the victim's machine: C:\\Windows\\en-US\\splwow64.exe.mui. It remains\r\nencrypted on disk until the EggStremeAgent is ready to use it, at which point it is decrypted in memory using the\r\nstatic RC4 key Microsoft and injected into the user's explorer.exe process. \r\nThe EggStremeKeylogger is not a standalone executable; it is a DLL library with a unique loading mechanism.\r\nInstead of the standard DllMain() function triggering its malicious behavior, the EggStremeAgent calls an\r\nexported function within the keylogger's binary: RegisterWaitChainCOMCallback(). This function serves as a\r\ncustom reflective loader to load the keylogger's own binary from memory, effectively injecting it back into its own\r\nprocess. This process then triggers the DllMain() function, which acts as the malware's true entry point, allowing\r\nthe keylogger to initiate its malicious activities.\r\nOnce executed, it spawns a hidden window and creates a log file at\r\n%LOCALAPPDATA%\\Microsoft\\Windows\\Explorer\\thumbcache.dat to store captured data. Each log entry is\r\nencrypted in real time using the RC4 algorithm with the key usa1!the8*best9#, and entries are separated by the\r\nbyte sequence 0xA0D0A0D. \r\nAt startup, it first records the system’s startup time and fingerprints the Windows network configuration,\r\nenumerating adapter names, descriptions, IP addresses, subnet masks, and gateways. Once initialized, it\r\ncontinuously intercepts keystrokes via GetRawInputData() and MapVirtualKeyA(), logging each sequence\r\nalongside the active window title, the current time, and the full process image path. Clipboard monitoring is also\r\npersistent, capturing plaintext (GetClipboardData()) and file paths when files are copied (DragQueryFileA()).\r\nAdditionally, a dedicated thread monitors network adapter changes in real time, automatically collecting and\r\ndumping updated configuration details\r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 16 of 20\n\nEggStremeKeylogger example (emulated) \r\nThis combination of keystroke logging, clipboard monitoring, file capture, and network fingerprinting provides\r\nattackers with comprehensive surveillance over both user activity and system configuration. \r\nStowaway (The Proxy Tool) \r\nThe Stowaway proxy is used by the threat actor to establish an internal network foothold. It operates by creating\r\nan exposed proxy on the compromised host, enabling attackers to route traffic and execute commands on other\r\nsystems within the network. \r\nForensic analysis indicates that an existing backdoor was used to write the Stowaway binary to disk at\r\n%LOCALAPPDATA%\\microsoft\\windows\\burn\\burn\\burn.conf. The file is a compiled Go binary that functions\r\nas a DLL, and its export table contains numerous symbols, including CoStartOutlookExpressW() (typically\r\nexported by msoe.dll), CorGetSvc() (mscorsvc.dll), and ServiceMain() (a generic function for services). These\r\nsymbols indicate the tool was designed for potential sideloading or execution as a Windows service. \r\nThe tool's initialization function is custom and hard-coded with specific parameters: a secret (d@rkn3ss) and a\r\nlistening port (8531). This initialization allows the attacker to connect to the proxy and authenticate with the\r\nknown secret. \r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 17 of 20\n\nA plausible explanation for the attackers’ use of this tool is the requirement to execute remote commands without\r\ndeploying a full-featured agent on every target. The Go-based binary provides a small footprint and can be\r\nexecuted to establish a temporary proxy. This proxy is then used in conjunction with a framework like Impacket. \r\nOn their own machine, the attackers can configure proxychains or a similar tool to route their Impacket commands\r\nthrough the exposed Stowaway proxy. This allows them to effectively target any system on networks accessible by\r\nthe infected host. The primary threat implication for a security practitioner is that the proxy bypasses network-level segmentation and firewall rules, as the commands originate from within the trusted network segment. \r\nConclusion and Recommendations \r\nThe EggStreme malware family is a highly sophisticated and multi-component threat designed to achieve\r\npersistent access, lateral movement, and data exfiltration. The threat actor demonstrates an advanced\r\nunderstanding of modern defensive techniques by employing a variety of tactics to evade detection. \r\nThis modular, fileless, and living-off-the-land (LOL) approach highlights a significant shift in adversary\r\ntradecraft. The threat is not a collection of individual executables but a dynamic, multi-stage operation that\r\nleverages legitimate tools and system behaviors to remain undetected. \r\nTo effectively counter threats like EggStreme, security practitioners must adopt a defense-in-depth strategy. \r\nProactively Limit LOLBins: Proactively reduce your attack surface by limiting the use of legitimate but\r\nhigh-risk binaries. Implement Proactive Hardening and Attack Surface Reduction (PHASR) to restrict\r\nbuilt-in tools like wmic.exe and other LOLBin attacks. \r\nAdopt Detection and Response Capabilities: A robust security platform like Bitdefender GravityZone with\r\nstrong EDR/XDR capabilities is essential. These platforms are essential for correlating events across\r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 18 of 20\n\nmultiple endpoints to identify complex attack chains and detect behavioral anomalies that bypass\r\nprevention layers. This is critical for catching an event like msdt.exe spawning cmd.exe or xwizard.exe\r\nrunning from an unusual directory. You can learn more about EDR/XDR technology on the Bitdefender\r\nTechZone website. \r\nConsider Managed Detection and Response (MDR) for Operational Gaps: For organizations without a\r\ndedicated Security Operations Center (SOC) team or operating with a lean security staff,\r\nadopting Managed Detection and Response (MDR) services offers an effective solution. MDR effectively\r\nacts as an extension of an in-house team, providing 24/7 expert threat hunting, rapid incident response, and\r\ncontinuous monitoring.  \r\nBy focusing on these areas, organizations can build a more resilient security posture, capable of detecting and\r\nresponding to even the most covert and persistent adversaries.  \r\nIOCs and How to Follow Our Research \r\nFor our OEM partners and integrations, access to our threat intelligence data is primarily provided\r\nprogrammatically. We also offer a user interface, IntelliZone Portal. This is where partners get more ways to\r\ninteract with our data, like an operational dashboard of threats targeting their industry. A full breakdown of this\r\nresearch can be found on the platform under ThreatID BDtqkhbtsw : \r\nhttps://intellizone.bitdefender.com/en/threat-search/threats/BDtqkhbtsw\r\nBeyond our core TI platform, we're also launching three new ways for you to stay current with our research. \r\nPublic IOCs on GitHub \r\nWe are now hosting all Indicators of Compromise (IOCs) from this and all future research on a public GitHub\r\nrepository. This will improve accessibility and collaboration for the entire security\r\ncommunity. https://github.com/bitdefender/malware-ioc/blob/master/2025_09_10-eggstreme-iocs.csv \r\nNewsletter: Threat Intel DECODED \r\nWe are introducing our LinkedIn newsletter, Threat Intel DECODED, designed to provide you with exclusive\r\nthreat intelligence, original research, and actionable advisories directly from Bitdefender Labs and MDR. \r\nSubscribe to our newsletter and let us know what you think! \r\nhttps://www.linkedin.com/newsletters/7371216616015036416/?displayConfirmation=true\r\nLive Discussion: Ctrl-Alt-DECODE \r\nWatch our new discussion series, Ctrl-Alt-DECODE, where we discussed the EggStreme research in-depth and\r\nanswered live questions. This was our first episode, so thanks for tuning in and helping us get this new series\r\nstarted!\r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 19 of 20\n\nSource: https://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nhttps://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac"
	],
	"report_names": [
		"eggstreme-fileless-malware-cyberattack-apac"
	],
	"threat_actors": [],
	"ts_created_at": 1775434478,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b32ae29064afae6f51bf294138a689b0bb866f72.pdf",
		"text": "https://archive.orkl.eu/b32ae29064afae6f51bf294138a689b0bb866f72.txt",
		"img": "https://archive.orkl.eu/b32ae29064afae6f51bf294138a689b0bb866f72.jpg"
	}
}