Subj : China-related threat acto
To   : All
From : Mike Powell
Date : Fri Sep 12 2025 09:37 am

China-related threat actors deployed a new fileless malware against the
Philippines military

Date:
Thu, 11 Sep 2025 20:12:00 +0000

Description:
An unknown threat actor with an unknown malware framework, doing
reconnaissance and espionage.

FULL STORY

A Chinese threat actor attacked a Philippine military company with a
never-before-seen, fileless malware framework, researchers warned.

Earlier this week, cybersecurity outfit Bitdefender published an in-depth
report about EggStreme, a multi-stage toolset that achieves low-profile
espionage by injecting malicious code directly into memory and leveraging DLL
sideloading to execute payloads.

It counts six different components: EggStremeFuel (initial loader DLL,
sideloaded via a legitimate binary and establishes a reverse shell),
EggStremeLoader (reads encrypted payloads and injects them into processes),
EggStremeReflectiveLoader (decrypts and injects the final payload),
EggStremeAgent (main backdoor implant with 58 commands), EggStremeKeylogger
(grabs keystrokes and sensitive user data), and EggStremeWizard (secondary
backdoor for redundancy).

Sideloading DLLs

Bitdefender tried to link the framework to known Chinese APT players, but
failed to find a plausible connection, The Hacker News reported. "We put
quite a lot of effort into attribution efforts, but couldn't find anything,"
Martin Zugec, technical solutions director at Bitdefender, told the
publication. "However, objectives align with Chinese APTs. For this one, our
attribution is based on interests/objectives."

The objectives for this one, it seems, are cyber-espionage, reconnaissance,
and long-term, low-profile persistence, something Chinese actors are known
for - not just in the Philippines, but elsewhere in the region (Vietnam,
Taiwan, and other neighboring countries), as well as around the world.

Salt Typhoon is perhaps the most documented Chinese APT out there, and it was
recently caught in numerous telecommunications service provider companies in
the US.

The EggStreme malware framework is delivered via a side-loaded DLL file. This
file was activated using trusted executables, allowing it to bypass security
controls. However, how the DLL file was dropped onto the victims device in
the first place, remains unknown.

Usual methods include supply chain compromise, deploying the DLL manually
(via previously obtained access), or through drive-by compromise and lateral
movement.

Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/china-related-threat-actors-deployed-a-
new-fileless-malware-against-the-philippines-military

$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

You are viewing proxied material from vert.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.