EggStreme Loader
EggStreme Loader is a multi-layered loader used in a 2025 cyberespionage campaign against a Southeast Asian government organization. Palo Alto Networks Unit 42 reported it as part of the CL-STA-1048 toolset, alongside EggStremeFuel, Masol RAT, Gorem RAT, and TrackBak, in activity overlapping with China-linked clusters associated with Earth Estries/Salt Typhoon and Crimson Palace. The malware is designed to launch Gorem RAT in memory and is described as providing backdoor access, keylogging, and in-memory payload execution. Unit 42 detected EggStreme Loader at C:\Windows\System32\XblAuthManagers.dll with SHA256 6caa78943939bd7518f5e7eaa44fa778d0db8b822e260d7fe281cf45513f82d9. Supporting reporting states that the resulting Gorem RAT used gRPC for command-and-control and supported a user-mode keylogger. The malware was deployed as part of a broader long-term espionage operation focused on persistent access and data theft from sensitive government networks in Southeast Asia.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The researchers reported that in 2025, the CL-STA-1048 cluster deployed multiple espionage tools against a Southeast Asian target, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak.
The researchers reported that in 2025, the CL-STA-1048 cluster deployed multiple espionage tools against a Southeast Asian target, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 techniqueusing ClaimLoader to decrypt and execute shellcode in memory... Masol RAT and EggStreme Loader provided backdoor access, keylogging, and in-memory payload execution
Credential Access
1 techniqueCollection
1 techniqueCommand and Control
1 techniqueMasol RAT and EggStreme Loader provided backdoor access... FluffyGh0st... enables remote control and plugin-based functionality
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A loader/RAT used in espionage operations that provides backdoor access, keylogging, and in-memory payload execution.
Multi-layered in-memory loader that uses tools such as DarkLoadLibrary and libpeconv to launch Gorem RAT. It was used in the espionage toolkit observed in the campaign.
Loader used to stage or deliver additional payloads in the intrusion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.