Philippine military hit by malware; Bitdefender traces attack to Chinese APT group

• CYBER ESPIONAGE ALERT – A report by Bitdefender Labs reveals that a Philippine military institution has been targeted by a new fileless malware framework called EggStreme, which security experts link to a Chinese state-backed group engaged in espionage in the South China Sea region. Bitdefender uncovers Chinese-linked cyberattack on PH military firm. (Photo generated using Gemini.)

By TechWatch PH Staff

A Philippine military institution has been targeted by a newly discovered fileless malware framework named “EggStreme,” according to a detailed report released by Bitdefender Labs.

Security researchers attributed the attack to a Chinese advanced persistent threat (APT) group engaged in long-term espionage and surveillance operations, particularly in the South China Sea region.

The malware employs a multi-stage chain, starting with EggStremeFuel, which deploys EggStremeLoader to maintain persistence by modifying or replacing Windows services. The core backdoor, EggStremeAgent, is injected into trusted system processes through reflective DLL injection.

Once active, it can perform reconnaissance, move laterally across networks, execute shellcode, steal data, and log keystrokes through an embedded tool called EggStremeKeylogger.

To avoid detection, the framework abuses disabled Windows services with elevated privileges and sideloads malicious DLLs using legitimate binaries.

A secondary backdoor, EggStremeWizard, provides a fallback to preserve access. Communications with the attackers’ servers are encrypted with mutual TLS certificates generated by an attacker-controlled authority.

Bitdefender noted that the malware operates without leaving traditional file traces, employing “living off the land” techniques that make it difficult for conventional defenses to spot.

Its capabilities include file and process enumeration, registry access, screenshot capture, and remote command execution. The campaign also utilizes a proxy tool known as Stowaway to transfer instructions across compromised systems, thereby bypassing firewall rules.

Researchers urged organizations to adopt a defense-in-depth strategy to counter such threats. The report also published technical indicators and details to help cybersecurity teams detect and prevent further intrusions.

Bitdefender’s investigation highlights the growing sophistication of state-sponsored cyber operations, which prioritize stealth, persistence, and high-value targets.

The same warning had been reported to the Philippine government as early as January this year by cybersecurity personality Rodel Plasabas, who told TechWatchPH that it appears the authorities did not act on his report.