Advanced fileless malware targets Philippine military using stealth techniques

By CybersecAsia editors | Monday, September 15, 2025, 4:56 PM Asia/Singapore

Researchers reveal a multi-step, in-memory attack leveraging DLL sideloading and encrypted payloads to maintain covert access.

Threat researchers have uncovered a sophisticated and stealthy cyber-espionage framework used by an advanced persistent threat (APT) group targeting a Philippine military firm.

This multi-stage, fileless malware campaign leverages a combination of living-off-the-land techniques and in-memory execution to maintain persistent access, avoid detection, and perform extensive system reconnaissance and data theft.

The initial intrusion was linked to the execution of a logon batch script from a remote SMB share, deploying a legitimate Windows binary alongside a malicious dynamic link library (DLL). This DLL hijacking (or sideloading) tactic had allowed the malware to execute payloads under the guise of trusted processes, bypassing traditional file-based security mechanisms. The first-stage loader had then established a reverse shell and enabled remote command execution on compromised systems.

Technical overview and attack methodology

To maintain persistence, the attackers abused pre-existing but typically disabled Windows services, either by modifying service registry keys to point to malicious DLLs, or by replacing legitimate service binaries. These services were then configured to run with elevated privileges, granting the attackers extensive access to the system memory and processes. Also:

The core payload was delivered and executed entirely in memory through a novel reflective loader. This loader decrypted and injected the main backdoor into trusted processes such as the Windows Defender service or explorer.exe, facilitating stealthy control and communication with the command-and-control (C2) servers.
Communication with the attacker’s C2 infrastructure had employed modern secure protocols and mutual TLS authentication, utilizing attacker-owned certificates for encrypted and authenticated remote procedure calls.
The backdoor supports a wide array of capabilities: comprehensive system fingerprinting; file and process manipulation; privilege escalation; network resource enumeration; lateral movement; and data exfiltration. It operates with a full command set designed for long-term surveillance and control without leaving decrypted malware files on disk.
Secondary lightweight backdoor had been observed, which was deployed to ensure redundancy in case the primary implant had been intercepted. This auxiliary component used a legitimate binary relocated to a user-writable directory for DLL sideloading and supported encrypted communication, remote command execution, and flexible command updates.
To gather sensitive user input, the threat actors had injected an encrypted keylogger directly into the memory of active explorer.exe processes. This keylogger intercepted keystrokes, clipboard content, and network adapter changes, encrypting logged data in real time for covert collection.

Finally, the attackers had leveraged a proxy tool to establish internal network footholds and route commands across the compromised environment, effectively bypassing segmentation and network-level defenses. Many methods bear telltale signs of a China-linked APT, but no specific threat group has been identified.

According to Martin Zugec, Technical Solutions Director, Bitdefender, the firm disclosing its investigations, this attack suggests in general that APTs aligned with Chinese interests could be “increasing their focus on espionage campaigns against military adversaries.”

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

CybersecAsia Voting Placement

Gamification listing or Participate Now

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

2024 Insider Threat Report: Trends, Challenges, and Solutions
Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper
AI-Powered Cyber Ops: Redefining Cloud Security for 2025
The future of cybersecurity is a perfect storm: AI-driven attacks, cloud expansion, and the convergence …Download Whitepaper
Data Management in the Age of Cloud and AI
In today’s Asia Pacific business environment, organizations are leaning on hybrid multi-cloud infrastructures and advanced …Download Whitepaper
Mitigating Ransomware Risks with GRC Automation
In today’s landscape, ransomware attacks pose significant threats to organizations of all sizes, with increasing …Download Whitepaper

Middle-sidebar-banner

Case Studies

CISOs can navigate emerging risks from autonomous AI with a new security framework
See how security leaders can adopt layered strategies addressing intent, governance, and oversight to manage …Read more
MoneyMe strengthens fraud prevention and credit decisioning
Australian fintech strengthens risk management with SEON to scale lending operations securely and efficiently.Read more
PT Kereta Api Indonesia announces nationwide email and communication overhaul
The state railway operator’s upgraded email system improves privacy, operational reliability, and regulatory alignment for …Read more
Operationalizing sustainability in cybersecurity: Group-IB’s approach
See how the firm turned malware-group takedowns into measurements of sustainability and resilience gains: by …Read more

Featured

The rise of digital wallets: What businesses in APAC need to know

Featured

Resilience the true benchmark for smart infrastructure

Featured