New EAGERBEE Variant Targets ISPs and Governments with Advanced Backdoor Capabilities

Internet service providers (ISPs) and governmental entities in the Middle East have been targeted using an updated variant of the EAGERBEE malware framework.
The new variant of EAGERBEE (aka Thumtais) comes fitted with various components that allow the backdoor to deploy additional payloads, enumerate file systems, and execute commands shells, demonstrating a significant evolution.
"The key plugins can be categorized in terms of their functionality into the following groups: Plugin Orchestrator, File System Manipulation, Remote Access Manager, Process Exploration, Network Connection Listing, and Service Management," Kaspersky researchers Saurabh Sharma and Vasily Berdnikov said in an analysis.
The backdoor has been assessed by the Russian cybersecurity company with medium confidence to a threat group called CoughingDown.
EAGERBEE was first documented by the Elastic Security Labs, attributing it to a state-sponsored and espionage-focused intrusion set dubbed REF5961. A "technically straightforward backdoor" with forward and reverse C2 and SSL encryption capabilities, it's designed to conduct basic system enumeration and deliver subsequent executables for post-exploitation.
Subsequently, a variant of the malware was observed in attacks by a Chinese state-aligned threat cluster tracked as Cluster Alpha as part of a broader cyber espionage operation codenamed Crimson Palace with an aim to steal sensitive military and political secrets from a high-profile government organization in Southeast Asia.
Cluster Alpha, per Sophos, overlaps with threat clusters tracked as BackdoorDiplomacy, REF5961, Worok, and TA428. BackdoorDiplomacy, for its part, is known to exhibit tactical similarities with another Chinese-speaking group codenamed CloudComputating (aka Faking Dragon), which has attributed to a multi-plugin malware framework referred to as QSC in attacks targeting the telecom industry in South Asia.
"QSC is a modular framework, of which only the initial loader remains on disk while the core and network modules are always in memory," Kaspersky noted back in November 2024. "Using a plugin-based architecture gives attackers the ability to control which plugin (module) to load in memory on demand depending on the target of interest."
In the latest set of attacks involving EAGERBEE, an injector DLL is designed to launch the backdoor module, which is then used to collect system information and exfiltrate the details to a remote server to which a connection is established via a TCP socket.
The server subsequently responds with a Plugin Orchestrator that, in addition to reporting system-related information to the server (e.g., NetBIOS name of the domain; physical and virtual memory usage; and system locale and time zone settings), harvests details about running processes and awaits further instructions -
- Receive and inject plugins into memory
- Unload a specific plugin from memory, remove the plugin from the list
- Remove all plugins from the list
- Check if the plugin is loaded or not
"All the plugins are responsible for receiving and executing commands from the orchestrator," the researchers said, adding they perform file operations, manage processes, maintain remote connections, manage system services, and list network connections.
Kaspersky said it also observed EAGERBEE being deployed in several organizations in East Asia, with two of them breached using the ProxyLogon vulnerability (CVE-2021-26855) to drop web shells that were then used to execute commands on the servers, ultimately leading to the backdoor deployment.
"Among these is EAGERBEE, a malware framework primarily designed to operate in memory," the researchers pointed out. "This memory-resident architecture enhances its stealth capabilities, helping it evade detection by traditional endpoint security solutions."
"EAGERBEE also obscures its command shell activities by injecting malicious code into legitimate processes. These tactics allow the malware to seamlessly integrate with normal system operations, making it significantly more challenging to identify and analyze."
Moxa Alerts Users to High-Severity Vulnerabilities in Cellular and Secure Routers
CISA: No Wider Federal Impact from Treasury Cyber Attack, Investigation Ongoing
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
Free online web security scanner