EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company
Ctrl-Alt-DECODE is a newsletter for security practitioners and anyone interested in learning about the latest developments in the field. Our goal is to provide a dedicated resource for relevant, technical, and actionable threat intelligence, focused on our own original research rather than rehashing existing news.
In this issue, we provide an in-depth look at our latest research on the EggStreme framework, a new and sophisticated malware toolset. Our analysis reveals that this is not a loose collection of exploits but a unified, multi-stage framework designed for long-term espionage. We have attributed the campaign to a highly professional APT group targeting a military company in the Philippines.
The framework's primary strength is its fileless nature and use of memory injection and DLL sideloading, which allows it to operate with a low profile. The core component, EggStremeAgent, enables attackers to perform extensive network discovery, lateral movement, and data theft through an integrated keylogger.
For a full breakdown of the threat, including enriched data and comprehensive analysis, you can read our complete research report and check our Threat Intelligence Platform.
Read the full research here: 🔗https://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac?cid=soc%7Cb%7Cli%7Cnl
Explore enriched data on our IntelliZone Platform: 🔗https://intellizone.bitdefender.com/en/threat-search/threats/BDtqkhbtsw
To provide new ways to stay current with our research, we are announcing three new initiatives.
First, all Indicators of Compromise (IOCs) from this report are now hosted on a public GitHub repository to enhance collaboration and accessibility.
Access IOCs here: 🔗https://github.com/bitdefender/malware-ioc/blob/master/2025_09_10-eggstreme-iocs.csv
📅 Second, on September 18, we invite you to join our LinkedIn Live discussion, where our experts will provide a full breakdown of the EggStreme research and answer your questions.
Join the conversation here: 🔗https://www.linkedin.com/events/7371525306291130368/
Finally, you are reading the very first issue of our new newsletter, designed to provide you with exclusive threat intelligence, original research, and actionable advisories directly from Bitdefender Labs and MDR. We want to be clear that this is not a sales or marketing publication; it is a resource dedicated to providing only relevant, technical, and actionable threat intelligence. We invite you to subscribe, share this newsletter with your network, and tell us how we're doing at ✉️ decode@bitdefender.com.