Cybersecurity News in Asia

RECENT STORIES:

SEGA moves faster with flow-based network monitoring
Android trojan mimics human typing traits to evade behavioral detectio...
Embedding cybersecurity culture in financial institutions: lessons in ...
Upgrading biometric authentication system protects customers in the Ph...
Mastercard introduces first-ever threat intelligence solution to comba...
Around 16.4m email accounts added to largest dataset of stolen credent...
LOGIN REGISTER
CybersecAsia
  • Features
    • Featured

      Embedding cybersecurity culture in financial institutions: lessons in leadership, collaboration, and cyber resilience

      Embedding cybersecurity culture in financial institutions: lessons in leadership, collaboration, and cyber resilience

      Thursday, October 30, 2025, 11:37 AM Asia/Singapore | Features, Newsletter
    • Featured

      Biometrics and the digital identity crisis today

      Biometrics and the digital identity crisis today

      Tuesday, October 28, 2025, 3:30 PM Asia/Singapore | Features
    • Featured

      Collaboration and data security for today’s agentic workspace

      Collaboration and data security for today’s agentic workspace

      Wednesday, October 22, 2025, 1:42 PM Asia/Singapore | Features, Tips
  • Opinions
  • Tips
  • Whitepapers
  • Awards 2025
  • Directory
  • E-Learning

Select Page

News

Advanced fileless malware targets Philippine military using stealth techniques

By CybersecAsia editors | Monday, September 15, 2025, 4:56 PM Asia/Singapore

Advanced fileless malware targets Philippine military using stealth techniques

Researchers reveal a multi-step, in-memory attack leveraging DLL sideloading and encrypted payloads to maintain covert access.

Threat researchers have uncovered a sophisticated and stealthy cyber-espionage framework used by an advanced persistent threat (APT) group targeting a Philippine military firm.

This multi-stage, fileless malware campaign leverages a combination of living-off-the-land techniques and in-memory execution to maintain persistent access, avoid detection, and perform extensive system reconnaissance and data theft.

The initial intrusion was linked to the execution of a logon batch script from a remote SMB share, deploying a legitimate Windows binary alongside a malicious dynamic link library (DLL). This DLL hijacking (or sideloading) tactic had allowed the malware to execute payloads under the guise of trusted processes, bypassing traditional file-based security mechanisms. The first-stage loader had then established a reverse shell and enabled remote command execution on compromised systems.

Technical overview and attack methodology

To maintain persistence, the attackers abused pre-existing but typically disabled Windows services, either by modifying service registry keys to point to malicious DLLs, or by replacing legitimate service binaries. These services were then configured to run with elevated privileges, granting the attackers extensive access to the system memory and processes. Also:

  • The core payload was delivered and executed entirely in memory through a novel reflective loader. This loader decrypted and injected the main backdoor into trusted processes such as the Windows Defender service or explorer.exe, facilitating stealthy control and communication with the command-and-control (C2) servers.
  • Communication with the attacker’s C2 infrastructure had employed modern secure protocols and mutual TLS authentication, utilizing attacker-owned certificates for encrypted and authenticated remote procedure calls.
  • The backdoor supports a wide array of capabilities: comprehensive system fingerprinting; file and process manipulation; privilege escalation; network resource enumeration; lateral movement; and data exfiltration. It operates with a full command set designed for long-term surveillance and control without leaving decrypted malware files on disk.
  • Secondary lightweight backdoor had been observed, which was deployed to ensure redundancy in case the primary implant had been intercepted. This auxiliary component used a legitimate binary relocated to a user-writable directory for DLL sideloading and supported encrypted communication, remote command execution, and flexible command updates.
  • To gather sensitive user input, the threat actors had injected an encrypted keylogger directly into the memory of active explorer.exe processes. This keylogger intercepted keystrokes, clipboard content, and network adapter changes, encrypting logged data in real time for covert collection.

Finally, the attackers had leveraged a proxy tool to establish internal network footholds and route commands across the compromised environment, effectively bypassing segmentation and network-level defenses. Many methods bear telltale signs of a China-linked APT, but no specific threat group has been identified.

According to Martin Zugec, Technical Solutions Director, Bitdefender, the firm disclosing its investigations, this attack suggests in general that APTs aligned with Chinese interests could be “increasing their focus on espionage campaigns against military adversaries.”

Share:

PreviousHow to wage proactive defense against evolving cyber threats with Deception-as-a-Service
NextUS senator requests FTC probe over software giant’s poor cybersecurity track record

Related Posts

Out with the password: multifactor authentication is in

Out with the password: multifactor authentication is in

Wednesday, June 2, 2021

Security, convenience and fraud management in digital payments

Security, convenience and fraud management in digital payments

Tuesday, January 28, 2025

Rise in cyberattacks in the wake of COVID-19 explained

Rise in cyberattacks in the wake of COVID-19 explained

Wednesday, April 8, 2020

Are some CFOs over-confident about cybersecurity?

Are some CFOs over-confident about cybersecurity?

Friday, September 16, 2022

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
previous arrow
next arrow

CybersecAsia Voting Placement

Gamification listing or Participate Now

PARTICIPATE NOW

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

  • 2024 Insider Threat Report: Trends, Challenges, and Solutions

    2024 Insider Threat Report: Trends, Challenges, and Solutions

    Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper
  • AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    The future of cybersecurity is a perfect storm: AI-driven attacks, cloud expansion, and the convergence …Download Whitepaper
  • Data Management in the Age of Cloud and AI

    Data Management in the Age of Cloud and AI

    In today’s Asia Pacific business environment, organizations are leaning on hybrid multi-cloud infrastructures and advanced …Download Whitepaper
  • Mitigating Ransomware Risks with GRC Automation

    Mitigating Ransomware Risks with GRC Automation

    In today’s landscape, ransomware attacks pose significant threats to organizations of all sizes, with increasing …Download Whitepaper

Middle-sidebar-banner

Case Studies

  • Upgrading biometric authentication system protects customers in the Philippines: UnionDigital Bank

    Upgrading biometric authentication system protects customers in the Philippines: UnionDigital Bank

    An improved dual-liveness biometric framework can counter more deepfake threats, ensure compliance, and protect underbanked …Read more
  • HOSTWAY gains 73% operational efficiency for private cloud operations  

    HOSTWAY gains 73% operational efficiency for private cloud operations  

    With NetApp storage solutions, the Korean managed cloud service provider offers a lean, intelligent architecture, …Read more
  • CISOs can navigate emerging risks from autonomous AI with a new security framework

    CISOs can navigate emerging risks from autonomous AI with a new security framework

    See how security leaders can adopt layered strategies addressing intent, governance, and oversight to manage …Read more
  • MoneyMe strengthens fraud prevention and credit decisioning

    MoneyMe strengthens fraud prevention and credit decisioning

    Australian fintech strengthens risk management with SEON to scale lending operations securely and efficiently.Read more

Bottom sidebar

  • Our Brands
  • DigiconAsia
  • MartechAsia
  • Home
  • About Us
  • Contact Us
  • Sitemap
  • Privacy & Cookies
  • Terms of Use
  • Advertising & Reprint Policy
  • Media Kit
  • Subscribe
  • Manage Subscriptions
  • Newsletter

Copyright © 2025 CybersecAsia All Rights Reserved.