EggStreme Malware Emerges With Fileless Techniques and DLL Sideloading Payloads

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme.

This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads.

The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.

In early 2024, a Philippine defense contractor became the target of a sophisticated cyber-espionage campaign.

Investigation revealed a previously unseen malware framework, dubbed EggStreme, whose advanced fileless design and DLL sideloading techniques enabled the attackers to evade detection and maintain stealthy, long-term access.

Indicators tie this operation to Chinese state-sponsored threat actors seeking strategic intelligence in the South China Sea region.

The EggStreme framework unfolds through a carefully orchestrated sequence of loaders and injectors.

It begins when an attacker executes a logon script on an SMB share ...