EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

An unknown attacker is wielding an updated version of a backdoor malware that was previously deployed against high-profile Southeast Asian organizations in targeted attacks, this time against ISPs and governmental entities in the Middle East.

Researchers at Kaspersky have detected a new variant of the EagerBee backdoor outfitted with various new components in attacks that demonstrate a significant evolution of the malware framework, they revealed in a blog post published today.

EagerBee is primarily designed to operate in memory to enhance its stealth capabilities and help it evade detection by traditional endpoint security solutions, according to Kaspersky. It's also unique in that it obscures its command shell activities by injecting malicious code into legitimate processes that are executed within the context of explorer.exe or the targeted user's session.

"These tactics allow the malware to seamlessly integrate with normal system operations, making it significantly more challenging to identify and analyze," Kaspersky senior security researcher Saurabh Sharma wrote in the post.

A previous variant of the malware was seen in attacks by a a trio of Chinese state-aligned threat clusters, which previously collaborated in Operation Crimson Palace to steal sensitive military and political secrets from a high-profile government organization in Southeast Asia.

Related:Deepfakes, Quantum Attacks Loom Over APAC in 2025

The latest version of EagerBee that was used in the Middle East attacks features several new advanced features, including a novel service injector designed to inject the backdoor into a running service, and a slew of previously undocumented plug-ins that can be deployed after the backdoor's installation.

"These enabled a range of malicious activities such as deploying additional payloads, exploring file systems, executing command shells, and more," Sharma wrote.

Who Are the Cyberattackers Behind EagerBee?

Previous researchers had attributed EagerBee to Chinese threat group Iron Tiger (aka Emissary Panda or APT27), one of numerous groups that often collaborate with other China-backed state-sponsored actors; that tends to make specific attribution of both attacks and malware murky.

Case in point: Kaspersky's latest analysis of the backdoor deployed in the Middle East attributes EagerBee to a different Chinese actor, CoughingDown. That's because there was a creation of services on the same day via the same Web shell to execute EagerBee and the CoughingDown Core Module in one of the attacks researchers analyzed, according to Sharma. Moreover, the researchers observed overlap in the command-and-control (C2) domain used both by EagerBee and the CoughingDown Core Module in the attack.

Related:Middle East Cyberwar Rages On, With No End in Sight

Further evidence discovered in the Middle East attacks linking EagerBee to CoughingDown includes code overlap in a malicious DLL file used in the attack with a multiplug-in malware developed by CoughingDown in late September 2020, according to Sharma. "We assess with medium confidence that the EagerBee backdoor is related to the CoughingDown threat group," he wrote.

EagerBee Backdoor Malware's Advanced Features

The Kaspersky team identified key new plug-in features of EagerBee that are all run by a plug-in orchestrator module to execute commands that perform various malicious activities.

The orchestrator exports a single method responsible for injecting the module into memory and subsequently calling its entry point. In addition to victim-specific data collected by the malware, this plug-in gathers and reports various other information — such as current usage of physical and virtual memory, system locale and time-zone settings, and Windows character encoding — about the infected system to the C2 server.

After transmitting this information, the plug-in orchestrator also reports whether the current process has elevated privileges and then collects details about all running processes on the system. Once the information is sent, the plug-in orchestrator waits for commands to execute, which are carried out by the various backdoor plug-ins.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

These include a file manager plug-in that is responsible for, among other things, renaming, moving, copying, and deleting files; reading and writing files to and from the system; and injecting additional payloads into memory. Another process manager plug-in lists running processes in the system; launches new modules and executes command lines; and terminates existing processes.

Two other plug-ins found in the novel variant include a remote access manager that facilitates and maintains remote connections while also providing command shell access, and a service manager that manages system services, including installing, starting, stopping, deleting, and listing them.

Malware Sophistication Demands Cyber Defender Vigilance

Despite links to CoughingDown, Kaspersky researchers could not determine the initial infection vector for the deployment of EagerBee.

In the previous attacks using the backdoor in Asia, attackers leveraged the now infamous Exchange ProxyLogon flaw as the initial entry point; however, there is no evidence of this in the attacks here, according to Kaspersky. However, the researchers still recommend that defenders promptly patch ProxyLogon to secure their network perimeter, as it "remains a popular exploit method among attackers to gain unauthorized access to Exchange servers," Sharma noted.

Overall, the emergence of a fortified variant of EagerBee in attacks in the Middle East demonstrates how attackers continue to advance malware frameworks in terms of both ability to evade detection and the sheer breadth of malicious functionality they can achieve, demanding that organizations also up their security game, he said.