A newly updated variant of the EAGERBEE (a.k.a. Thumtais) malware framework is actively targeting internet service providers (ISPs) and government organizations in the Middle East, bringing sophisticated backdoor capabilities that enable extensive cyber espionage operations.
Enhanced Backdoor Functionalities
This evolved version of EAGERBEE is equipped with multiple modules, allowing attackers to deploy additional payloads, execute command shells, and perform system reconnaissance with increased efficiency.
Attribution and Threat Actors
Kaspersky has assessed with medium confidence that the EAGERBEE malware is linked to a threat group known as CoughingDown. The malware was initially documented by Elastic Security Labs, attributing it to a state-sponsored espionage group labeled REF5961.
The backdoor exhibits forward and reverse command-and-control (C2) capabilities with SSL encryption, allowing attackers to gather system intelligence and deploy additional malicious executables for further compromise.
Ties to Chinese State-Aligned Cyber Espionage
A later version of EAGERBEE was observed in cyberattacks linked to a Chinese state-aligned threat cluster known as Cluster Alpha. This campaign, codenamed Crimson Palace, was specifically aimed at exfiltrating military and political intelligence from a high-profile government entity in Southeast Asia.
QSC operates as a modular malware framework, where only the initial loader is stored on disk, while the core functionalities remain memory-resident, enhancing its stealth capabilities.
How EAGERBEE Executes Attacks
The latest wave of EAGERBEE attacks leverages an injector DLL to initiate the backdoor module, which subsequently:
Collects system information
Establishes a TCP socket connection to a remote command-and-control (C2) server
Exfiltrates sensitive details
However, the exact initial attack vector remains unclear at this time.
Upon successful infiltration, the server responds with a Plugin Orchestrator, which facilitates:
Gathering system information (e.g., NetBIOS name, memory usage, locale settings)
Monitoring and managing active processes
Deploying and injecting plugins into memory
Unloading and removing plugins as needed
Exploitation of Known Vulnerabilities
Kaspersky has also identified instances of EAGERBEE infections in East Asia, with at least two organizations compromised through ProxyLogon (CVE-2021-26855). Attackers exploited this Microsoft Exchange vulnerability to:
Drop web shells
Execute remote commands on compromised servers
Deploy the backdoor for sustained access
Memory-Resident Malware for Stealthy Attacks
EAGERBEE operates entirely in memory, making it exceptionally difficult to detect using traditional endpoint security solutions.
Final Thoughts: A Persistent and Evolving Threat
The continuous evolution of EAGERBEE, coupled with its modular and memory-resident architecture, indicates that threat actors are actively refining their tactics to evade detection and enhance operational stealth.
Security teams, especially within ISPs, government agencies, and critical infrastructure sectors, must implement advanced threat detection mechanisms, behavioral analytics, and proactive monitoring to defend against these state-sponsored cyber threats.