Philippine military hit by malware; Bitdefender traces attack to Chinese APT group

  • Cyber Threats, EggStreme
  • CYBER ESPIONAGE ALERT – A report by Bitdefender Labs reveals that a Philippine military institution has been targeted by a new fileless malware framework called EggStreme, which security experts link to a Chinese state-backed group engaged in espionage in the South China Sea region. Bitdefender uncovers Chinese-linked cyberattack on PH military firm. (Photo generated using Gemini.)

By TechWatch PH Staff

A Philippine military institution has been targeted by a newly discovered fileless malware framework named “EggStreme,” according to a detailed report released by Bitdefender Labs.

Security researchers attributed the attack to a Chinese advanced persistent threat (APT) group engaged in long-term espionage and surveillance operations, particularly in the South China Sea region.

The malware employs a multi-stage chain, starting with EggStremeFuel, which deploys EggStremeLoader to maintain persistence by modifying or replacing Windows services. The core backdoor, EggStremeAgent, is injected into trusted system processes through reflective DLL injection.

Once active, it can perform reconnaissance, move laterally across networks, execute shellcode, steal data, and log keystrokes through an embedded tool called EggStremeKeylogger.

To avoid detection, the framework abuses disabled Windows services with elevated privileges and sideloads malicious DLLs using legitimate binaries.

A secondary backdoor, EggStremeWizard, provides a fallback to preserve access. Communications with the attackers’ servers are encrypted with mutual TLS certificates generated by an attacker-controlled authority.

Bitdefender noted that the malware operates without leaving traditional file traces, employing “living off the land” techniques that make it difficult for conventional defenses to spot.

Its capabilities include file and process enumeration, registry access, screenshot capture, and remote command execution. The campaign also utilizes a proxy tool known as Stowaway to transfer instructions across compromised systems, thereby bypassing firewall rules.

Researchers urged organizations to adopt a defense-in-depth strategy to counter such threats. The report also published technical indicators and details to help cybersecurity teams detect and prevent further intrusions.

Bitdefender’s investigation highlights the growing sophistication of state-sponsored cyber operations, which prioritize stealth, persistence, and high-value targets.

The same warning had been reported to the Philippine government as early as January this year by cybersecurity personality Rodel Plasabas, who told TechWatchPH that it appears the authorities did not act on his report.

Latest News

McLaren back on top as reigning champion Norris storms to Sprint pole in Miami

DICT to coordinate with DBM to sustain eGovPH system capacity amid rising demand

Toyota trains PH dismantler on EV battery recycling, builds groundwork for safer end-of-life vehicle system

Satellite data shows Metro Manila air quality recovering after Navotas landfill fire — PhilSA

Can’t pay cloud bills, DICT shuts down 12 systems

Google Earth update lets users import maps, 3D models, and terrain data for real-world use