Incident responders discovered a novel malware framework while investigating an attack on a Philippine military company attributed to a government-backed hacking group from China. 

Cybersecurity company Bitdefender published a blog post this week about EggStreme — a multi-stage toolset that gave the alleged Chinese hackers backdoor access to conduct an espionage campaign. The core component of the malware, EggStremeAgent, allows hackers to perform reconnaissance, move laterally around a victim’s system, steal data and track keystrokes. 

Martin Zugec, technical solutions director at Bitdefender, said researchers spent a significant amount of time trying to attribute the attack to a specific Chinese APT group but could not find anything. They determined the attack was launched by China because the target and objectives aligned with past campaigns attributed to Chinese groups. 

China and the Philippines have been at odds for years over Beijing's longstanding desire to control large parts of the South China Sea. The hotly contested area has seen China encroach on territorial claims made by Vietnam, the Philippines, Malaysia, Indonesia and Taiwan. 

This week, the Philippines expressed outrage at Chinese plans to create a nature reserve in the Sea, calling it a "clear pretext for occupation."

EggStremeAgent

Zugec said the EggStreme campaign lasted for more than a year.

"The first activity we observed related to this campaign occurred on April 9, 2024. The final observed activity against a victim was on June 13, 2025,” Zugec said. 

“As an interesting fact, we've also recently received telemetry that points to the attackers' awareness of our detections. Starting on September 4, 2025, a machine running a consumer variant of our solution in Singapore communicated with a known EggStremeAgent C2. The investigators found evidence that the threat actors were testing parts of the malware against defender endpoint solutions in an effort to see how effective they are. 

Bitdefender decided to publicize the incident because of EggStreme — which they called “a new and advanced malware toolset.”

The company said the EggStreme framework is a tightly integrated set of malicious components that, unlike traditional malware, operates “with a clear, multi-stage flow designed to establish a resilient foothold on compromised systems.” 

Bitdefender broke the malware framework down into several parts, the most important of which is EggStremeAgent. EggStremeAgent serves as the central nervous system of the framework, monitoring user sessions and injecting a keylogger into a device’s processes to silently collect keystrokes and other sensitive information. 

The backdoor offers a wide range of capabilities, allowing hackers to inject other payloads, move around a victim’s network and more. 

“What makes this framework difficult to detect is its fileless nature. While encrypted malware components are present on the disk, the decrypted malicious code is executed and resides solely in memory, never touching the file system,” Bitdefender researchers explained. 

The attackers leveraged legitimate Windows services to blend into the system’s normal operations and maintain access, according to Bitdefender. 

The malware also allows threat actors to track IP addresses, extract configuration information and monitor the device’s clipboard. 

Zugec explained that EggStreme highlights a challenge many organizations face: detecting and interpreting the subtle signals that sophisticated threat actors leave behind. 

“The threat actor demonstrates an advanced understanding of modern defensive techniques by employing a variety of tactics to evade detection,” the researchers said.