Bitdefender recently discovered an insidious threat, dubbed EggStreme, that the company says is being used in a targeted cyber-espionage campaign against a Philippine military company. Bitdefender is highly confident that EggStreme can be attributed to a Chinese Advanced Persistent Threat (APT) group.
Bitdefender threat researcher Bogdan Zavadovschi will put the spotlight on the malware in a Thursday session at RSA, “EggStreme Malware: Unpacking a New APT Framework.”
First detected in 2024, the sophisticated, fileless malware framework leverages a multi-stage execution flow to establish persistent, low-profile access for long-term surveillance.
Zavadovschi told Security Point Break that the attack is stealthy and aims for persistence.
“The scope of this attack isn’t to just script it… It’s to remain, as long as possible, stealthy,” he said. “The user shouldn’t know about the malware existing on the system.”
This malware isn’t born of Artificial Intelligence, the researcher believes. That belief stems from the fact that the stealth and persistence is “extremely hard to achieve” using “only scripted binaries or prompting LLMs or doing stuff like that,” Zavadovschi said. “It takes a little bit more care” than just crafting good prompts to feed into the gullet of an LLM, he said.
So … hurray for human innovation? Not quite.
The Discovery and The Target
The EggStreme framework was uncovered when Bitdefender researchers, while reviewing telemetry data, stumbled upon a suspicious logon batch script executing from a remote location. This seemingly innocuous script initiated a complex chain of events meticulously designed for long-term cyber espionage and data exfiltration. The malware hasn’t been distributed widely; rather, it operates via highly surgical, targeted campaigns focused on regions like the Philippines, Taiwan, and Indonesia.
The Antidote to ‘AI Hype’
The first indicators of compromise date back to early 2022, well before the current explosion of generative AI. “I still believe in the next few years the true attacks that will be the true APT style will be still only human or very little AI based,” Zavadovschi noted, asserting that threat actors still need foundational knowledge that AI cannot fully replace.
EggStreme: A Modular, Memory-Only Omelette
The framework consists of a tightly integrated set of six custom-crafted malicious components designed to establish a highly resilient foothold. The attack chain typically begins with EggStremeFuel, an initial loader and backdoor deployed via DLL sideloading using a legitimate Windows binary, such as WinMail.exe. From there, EggStremeLoader decrypts and injects an intermediary stage, EggStremeReflectiveLoader, into trusted system processes like winlogon.exe.
The reflective loader ultimately deploys the framework’s “golden yolk,” EggStremeAgent, a memory-only backdoor that serves as the central nervous system of the espionage operation. It includes 58 distinct commands for system fingerprinting, resource enumeration, lateral movement, and data exfiltration, and communicates with Command-and-Control (C2) servers via mutual TLS and the gRPC protocol. The malware’s infrastructure is equally sophisticated, using the same custom Certificate Authority (CA) as a trusted root to issue certificates across all its C2 servers.
To ensure redundancy, the attackers frequently deploy EggStremeWizard, a lightweight secondary backup backdoor that is sideloaded via the legitimate xwizard.exe or leveraged through binaries like msdt.exe (or MSHTA). If the primary agent detects a new user session, it also silently injects a surveillance module, EggStremeKeylogger, directly into the active explorer.exe process to continuously capture keystrokes, clipboard data, and network configurations.
Living Off the Land
The operators behind EggStreme demonstrate a mastery of “Living off the Land” (LOL) techniques, heavily abusing legitimate, built-in system tools to execute their malicious payloads. By leveraging standard tools like the Windows Management Instrumentation Command-line (WMIC) and hijacking legitimate but disabled Windows services (such as MSiSCSI or AppMgmt), the attackers blend seamlessly into normal system operations.
To facilitate lateral movement, the toolkit also includes a custom Go-based proxy tool dubbed Stowaway, which establishes an internal network foothold that allows attackers to route traffic and bypass network-level segmentation. Because the decrypted malicious code resides solely in memory and never touches the hard drive in a decrypted state, traditional signature-based antivirus solutions are rendered largely blind.
Defense and Mitigation: Shrink the Attack Surface
Zavadovschi couldn’t stress it strongly enough: To defend against EggStreme, shrinking the attack surface is crucial. Relying on static security measures is a losing battle, he said. “When it reaches to go to the behavioral detectors, that’s already too late,” he warned, noting that attackers may have already stolen credentials or exfiltrated data by the time standard security solutions trigger an alert.
Instead, the fundamental defense strategy must revolve around proactively reducing the attack surface by …
- Locking down the environment
- Restricting the execution of high-risk LOLBins [Living off the Land binaries], and
- Adopting robust Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) capabilities to catch behavioral anomalies early in the attack chain.
“I believe that reducing the attack surface is the best thing you can do.” Zavadovschi said. “And also trying to monitor, as much as you can, the LOLBins.”
(Lisa Vaas is a seasoned freelance journalist and content marketing professional with over 25 years of experience writing about technology, cybersecurity, careers, science, and health. She can be reached at lisavaas@lisavaas.com, lisavaas@securitypointbreak.com or via LinkedIn.)
