Chinese APT Hits Philippine Military Firm with New EggStreme Fileless Malware

Bitdefender uncovers EggStreme, a fileless malware by a China-based APT targeting the Philippine military and APAC organisations.

Cybersecurity researchers at Bitdefender have identified a new malware framework called EggStreme, currently used by a China-based APT group to spy on military organisations in the Asia-Pacific region. The finding came after an investigation into a compromise at a Philippine military company.

According to researchers, the malware toolkit is designed as a “unified” system rather than separate malware samples. Its components work in sequence, starting with a loader named EggStremeFuel, which prepares the environment for later stages. Ultimately, the attackers deploy EggStremeAgent, a full-featured backdoor that can perform reconnaissance, steal data, modify and even delete important files.

****Fileless Malware****

Bitdefender’s technical report, shared with Hackread.com ahead of its publication on Wednesday, September 10, 2025, reveals that EggStreme performs fileless execution. Additionally, while encrypted modules exist on disk, the malicious payloads are decrypted and executed only in memory. Combined with DLL sideloading, this makes the framework harder to detect.

The main backdoor, EggStremeAgent, supports 58 commands. It is capable of collecting system data, manipulating files, executing commands, and injecting additional payloads. Each time a new user session begins, it also injects a keylogger into explorer.exe to monitor keystrokes and clipboard data. Communication with command-and-control servers takes place over encrypted gRPC (Google Remote Procedure Call) channels.

****EggStremeWizard Backdoor and Stowaway Proxy****

To back up their access, the attackers deploy a secondary tool named EggStremeWizard. This lighter backdoor uses another DLL sideloading trick with xwizard.exe and maintains its own list of fallback servers. Together with a proxy tool called Stowaway, the framework gives operators the ability to route traffic inside the victim network, bypassing segmentation and firewall rules.

Bitdefender notes that the campaign is still active and advises organisations in the region to apply the published indicators of compromise. Indicators of compromise and technical details have been made available through Bitdefender’s IntelliZone Portal and its public GitHub repository.

****Cyber Attacks Against The Philippines****

It’s worth noting that the Philippines has been under sustained cyber pressure for some time, not just from espionage-grade toolkits like EggStreme but from overall hacktivist and misinformation campaigns linked to the South China Sea tensions.

The Philippines has already been dealing with an increase in cyberattacks, with incidents rising by more than 300% in early 2024 amid disputes in the South China Sea. EggStreme malware attack shows that these campaigns are not isolated events but part of a larger and continuing pressure on the country’s cyber and military front.