EggStremeFuel
EggStremeFuel is a lightweight TCP-based Windows backdoor written in C and used in 2025 cyberespionage activity against a Southeast Asian government organization. It was deployed by the China-linked CL-STA-1048 cluster, which overlaps with publicly tracked activity associated with Earth Estries (Salt Typhoon) and Crimson Palace. Reporting places its use within a broader multi-cluster campaign involving other malware families such as Masol RAT, EggStreme Loader/Gorem RAT, TrackBak, HIUPAN/USBFect, PUBLOAD, Hypnosis Loader, and FluffyGh0st, with the overall objective assessed as long-term persistent access and data exfiltration from sensitive government networks.
Observed capabilities include file upload and download, file and directory enumeration, starting or terminating a reverse shell, sending the victim's current global IP address, and updating its command-and-control configuration. Unit 42 reported that EggStremeFuel used RC4-encrypted C2 configuration data, including storage of configuration data in %APPDATA%\Microsoft\Windows\Cookies\Cookies.dat. It has also been described as a lightweight backdoor detected by YARA rules matching malicious functions such as C2 communications and system information gathering.
High-confidence indicators directly mentioned in the reporting include the DLL filename mscorsvc.dll and SHA256 1aa37a477c539edf25656a300002a28d4246ec83344422dd705b42d3443a2623, identified on Aug. 9, 2025 as the EggStremeFuel backdoor. The content also notes that EggStremeFuel is also known as RawCookie.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
The researchers reported that in 2025, the CL-STA-1048 cluster deployed multiple espionage tools against a Southeast Asian target, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak. EggStremeFuel used RC4-encrypted C2 configs to upload/download files and control reverse shells.
The researchers reported that in 2025, the CL-STA-1048 cluster deployed multiple espionage tools against a Southeast Asian target, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak. EggStremeFuel used RC4-encrypted C2 configs to upload/download files and control reverse shells.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueEggStremeFuel used RC4-encrypted C2 configs to upload/download files and control reverse shells.
Privilege Escalation
1 techniqueStealth
3 techniquesover TCP with obfuscated TLS-like headers... EggStremeFuel used RC4-encrypted C2 configs
We observed alerts originating from a Microsoft Edge process. Our investigation of this alert identified a DLL named mscorsvc.dll being loaded into memory via mscorsvw.exe.
ClaimLoader then uses an XOR key to decrypt an embedded shellcode payload and executes the shellcode... After patching the DLL's host process, Hypnosis loader creates a new thread to decrypt the name of the final payload (bdusersy.dll) with an RC4 key.
Discovery
1 techniqueEggStremeFuel, a lightweight backdoor that's equipped to download/upload files, enumerate files and directories, start or terminate a reverse shell, send the current global IP address, and update the C2 configuration.
Lateral Movement
1 techniqueThe backdoor supports the following capabilities: ... Starting or terminating a reverse shell
Command and Control
2 techniquesVariants of PUBLOAD use either HTTP or TCP for command-and-control (C2) communications. The sample we observed is a variant that uses TCP... Masol RAT... communicates with its C2 servers over HTTP POST... This malware uses Google Remote Procedure Call (gRPC) for C2 communication.
CoolClient could upload and delete files... EggStremeFuel used RC4-encrypted C2 configs to upload/download files
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family used in a 2025 China-linked cyber campaign against a Southeast Asian government to maintain access and support data theft operations.
An espionage tool using RC4-encrypted C2 configurations to upload and download files and control reverse shells.
Lightweight backdoor capable of file transfer, file and directory enumeration, reverse shell control, reporting the current global IP address, and updating C2 configuration.
Lightweight TCP backdoor that stores RC4-encrypted C2 configuration in Cookies.dat, uses RC4-encrypted communications with a session key, and supports file transfer, directory listing, reverse shell control, IP reporting, and C2 configuration updates.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.