Cybersecurity News in Asia

RECENT STORIES:

SEGA moves faster with flow-based network monitoring
Do identity security management adapt with better AI adoption and gove...
Cyberattack in Japan brews industry trouble, halts major beer producti...
Industry and technology leaders provide insights on AI trust and deplo...
HOSTWAY gains 73% operational efficiency for private cloud operations ...
Cyber education in schools: The overlooked frontline of national secur...
LOGIN REGISTER
CybersecAsia
  • Features
    • Featured

      Fragmented data, fractured trust

      Fragmented data, fractured trust

      Tuesday, September 30, 2025, 3:09 PM Asia/Singapore | Features
    • Featured

      Securing collaboration and data in the agentic workspace

      Securing collaboration and data in the agentic workspace

      Thursday, September 25, 2025, 4:58 PM Asia/Singapore | Features, News, Newsletter, Tips
    • Featured

      Clearing away the shadows of AI

      Clearing away the shadows of AI

      Tuesday, September 23, 2025, 5:33 PM Asia/Singapore | Features, Newsletter
  • Opinions
  • Tips
  • Whitepapers
  • Awards 2025
  • Directory
  • E-Learning

Select Page

News

Advanced fileless malware targets Philippine military using stealth techniques

By CybersecAsia editors | Monday, September 15, 2025, 4:56 PM Asia/Singapore

Advanced fileless malware targets Philippine military using stealth techniques

Researchers reveal a multi-step, in-memory attack leveraging DLL sideloading and encrypted payloads to maintain covert access.

Threat researchers have uncovered a sophisticated and stealthy cyber-espionage framework used by an advanced persistent threat (APT) group targeting a Philippine military firm.

This multi-stage, fileless malware campaign leverages a combination of living-off-the-land techniques and in-memory execution to maintain persistent access, avoid detection, and perform extensive system reconnaissance and data theft.

The initial intrusion was linked to the execution of a logon batch script from a remote SMB share, deploying a legitimate Windows binary alongside a malicious dynamic link library (DLL). This DLL hijacking (or sideloading) tactic had allowed the malware to execute payloads under the guise of trusted processes, bypassing traditional file-based security mechanisms. The first-stage loader had then established a reverse shell and enabled remote command execution on compromised systems.

Technical overview and attack methodology

To maintain persistence, the attackers abused pre-existing but typically disabled Windows services, either by modifying service registry keys to point to malicious DLLs, or by replacing legitimate service binaries. These services were then configured to run with elevated privileges, granting the attackers extensive access to the system memory and processes. Also:

  • The core payload was delivered and executed entirely in memory through a novel reflective loader. This loader decrypted and injected the main backdoor into trusted processes such as the Windows Defender service or explorer.exe, facilitating stealthy control and communication with the command-and-control (C2) servers.
  • Communication with the attacker’s C2 infrastructure had employed modern secure protocols and mutual TLS authentication, utilizing attacker-owned certificates for encrypted and authenticated remote procedure calls.
  • The backdoor supports a wide array of capabilities: comprehensive system fingerprinting; file and process manipulation; privilege escalation; network resource enumeration; lateral movement; and data exfiltration. It operates with a full command set designed for long-term surveillance and control without leaving decrypted malware files on disk.
  • Secondary lightweight backdoor had been observed, which was deployed to ensure redundancy in case the primary implant had been intercepted. This auxiliary component used a legitimate binary relocated to a user-writable directory for DLL sideloading and supported encrypted communication, remote command execution, and flexible command updates.
  • To gather sensitive user input, the threat actors had injected an encrypted keylogger directly into the memory of active explorer.exe processes. This keylogger intercepted keystrokes, clipboard content, and network adapter changes, encrypting logged data in real time for covert collection.

Finally, the attackers had leveraged a proxy tool to establish internal network footholds and route commands across the compromised environment, effectively bypassing segmentation and network-level defenses. Many methods bear telltale signs of a China-linked APT, but no specific threat group has been identified.

According to Martin Zugec, Technical Solutions Director, Bitdefender, the firm disclosing its investigations, this attack suggests in general that APTs aligned with Chinese interests could be “increasing their focus on espionage campaigns against military adversaries.”

Share:

PreviousHow to wage proactive defense against evolving cyber threats with Deception-as-a-Service
NextUS senator requests FTC probe over software giant’s poor cybersecurity track record

Related Posts

Internet disruption trends in Q2 2025 surge amid infrastructure and political challenges

Internet disruption trends in Q2 2025 surge amid infrastructure and political challenges

Tuesday, August 5, 2025

Despite global industry layoffs, India’s cybersecurity sector buzzes on

Despite global industry layoffs, India’s cybersecurity sector buzzes on

Friday, February 24, 2023

One day to V-Day: did you fall for any of these scams yet?

One day to V-Day: did you fall for any of these scams yet?

Monday, February 13, 2023

Ransomware remains a potent threat in 2023 despite improved detection

Ransomware remains a potent threat in 2023 despite improved detection

Monday, March 20, 2023

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
previous arrow
next arrow

CybersecAsia Voting Placement

Gamification listing or Participate Now

PARTICIPATE NOW

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

  • 2024 Insider Threat Report: Trends, Challenges, and Solutions

    2024 Insider Threat Report: Trends, Challenges, and Solutions

    Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper
  • AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    The future of cybersecurity is a perfect storm: AI-driven attacks, cloud expansion, and the convergence …Download Whitepaper
  • Data Management in the Age of Cloud and AI

    Data Management in the Age of Cloud and AI

    In today’s Asia Pacific business environment, organizations are leaning on hybrid multi-cloud infrastructures and advanced …Download Whitepaper
  • Mitigating Ransomware Risks with GRC Automation

    Mitigating Ransomware Risks with GRC Automation

    In today’s landscape, ransomware attacks pose significant threats to organizations of all sizes, with increasing …Download Whitepaper

Middle-sidebar-banner

Case Studies

  • HOSTWAY gains 73% operational efficiency for private cloud operations  

    HOSTWAY gains 73% operational efficiency for private cloud operations  

    With NetApp storage solutions, the Korean managed cloud service provider offers a lean, intelligent architecture, …Read more
  • CISOs can navigate emerging risks from autonomous AI with a new security framework

    CISOs can navigate emerging risks from autonomous AI with a new security framework

    See how security leaders can adopt layered strategies addressing intent, governance, and oversight to manage …Read more
  • MoneyMe strengthens fraud prevention and credit decisioning

    MoneyMe strengthens fraud prevention and credit decisioning

    Australian fintech strengthens risk management with SEON to scale lending operations securely and efficiently.Read more
  • PT Kereta Api Indonesia announces nationwide email and communication overhaul

    PT Kereta Api Indonesia announces nationwide email and communication overhaul

    The state railway operator’s upgraded email system improves privacy, operational reliability, and regulatory alignment for …Read more

Bottom sidebar

  • Our Brands
  • DigiconAsia
  • MartechAsia
  • Home
  • About Us
  • Contact Us
  • Sitemap
  • Privacy & Cookies
  • Terms of Use
  • Advertising & Reprint Policy
  • Media Kit
  • Subscribe
  • Manage Subscriptions
  • Newsletter

Copyright © 2025 CybersecAsia All Rights Reserved.