EggStreme Malware: The Stealthy Espionage Framework Targeting Military Contractors
A cyber operation against a Philippine military contractor has exposed a newly discovered and highly sophisticated malicious infrastructure, codenamed EggStreme. Research conducted by Bitdefender attributes the campaign to a Chinese threat group engaged in long-term espionage. Given the strategic importance of the South China Sea, both the chosen target and the methods employed align seamlessly with the broader pattern of Chinese APT activity.
At the heart of the attack lies a multi-stage framework designed to operate entirely in memory, rendering it exceptionally difficult to detect. Its core component, EggStremeAgent, is a versatile backdoor supporting 58 commands. It facilitates reconnaissance of local and network environments, arbitrary code execution, lateral movement, data exfiltration, and deployment of additional modules. Among these are EggStremeKeylogger, injected into explorer.exe to capture keystrokes and clipboard data, and EggStremeWizard, a lightweight fallback backdoor ensuring access even if the primary agent is removed.
Initial execution was achieved through DLL sideloading. Attackers placed a legitimate WinMail.exe alongside a malicious mscorsvc.dll in the %APPDATA%\Microsoft\Windows\Windows Mail\ directory. When launched, the trusted process initiated the first-stage loader, EggStremeFuel, which harvested system details, opened a reverse shell via cmd.exe, and established communication with a C2 server.
To achieve persistence, the attackers manipulated disabled Windows services, replacing binaries or registry values, while granting processes SeDebugPrivilege for memory access across applications. The next stage, EggStremeLoader, decrypted payloads embedded within a crafted ielowutil.exe.mui file and injected them into system processes. From there, EggStremeReflectiveLoader created new winlogon.exe or explorer.exe instances and implanted the main agent.
EggStremeAgent communicates with its C2 servers over encrypted gRPC channels secured with mTLS. Configuration data resides in an encrypted Vault.dat file, while certificates are issued by the attackers’ own CA, unifying the infrastructure. Each infected machine receives a unique identifier, ensuring tightly controlled communications.
Its command set includes functions for system enumeration, file and directory manipulation, screenshot capture, registry modifications, network scanning, remote process execution, and even code injection into LSASS. Persistence can be achieved through the creation of services on remote hosts or via scheduled tasks.
A notable element is the EggStremeKeylogger, stored in encrypted form as splwow64.exe.mui and activated only upon user login. Once decrypted, it embeds into explorer.exe, spawns a hidden window, and logs activity into thumbcache.dat, protected with RC4 encryption. The logs contain keystrokes, active windows, system time, network details, and clipboard content—including files—giving attackers comprehensive surveillance over user activity.
For lateral movement, attackers relied on the Stowaway proxy tool, compiled in Go, capable of bypassing network segmentation. This allowed them to route traffic and execute commands across infrastructure without deploying agents on every host.
Forensic analysis revealed a high degree of cohesion: every component employed identical techniques—DLL sideloading, RC4/XOR encryption, and exclusive in-memory execution—pointing to a unified developer team and a meticulously structured development process. Collectively, EggStreme represents a modern paradigm where malware functions not as disparate trojans, but as a harmonized multi-layered ecosystem.
Researchers stress that conventional antivirus solutions alone are insufficient against such threats. Mitigation requires a multi-layered defense strategy: restricting the use of system utilities (LOLBins), hardening service configurations, monitoring process behavior and event correlation, and deploying advanced EDR/XDR solutions capable of uncovering complex attack chains. Only such comprehensive measures can expose operations as stealthy and sophisticated as EggStreme.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
