A sophisticated malware framework dubbed EagerBee is actively targeting government agencies and Internet Service Providers (ISPs).
EagerBee is actively targeting these organizations across the Middle East.
While the EagerBee was found deploying advanced backdoor capabilities through novel technical implementations.
The security analysts at SOCRadar has linked the campaign to the Chinese-aligned CoughingDown threat group (APT27) through C2 infrastructure overlaps and code similarities.
Breakdown of Attack Sequence
The malware employs a multi-stage injection process beginning with the tsvipsrv.dll service injector, which abuses legitimate Windows services through DLL hijacking.
.webp)
Security analysts observed the following attack pattern:-
# Timestamp manipulation to evade detection
(Get-Item "C:\users\public\ntusers0.dat").lastwritetime = "01/08/2019 09:57"
attrib.exe +h +s +r "C:\users\public\ntusers0.dat"The injector targets four critical services like, Themes Service (UXInit), SessionEnv (Remote Desktop Configuration), IKEEXT (IKE/AuthIP Keying Modules), and MSDTC (Distributed Transaction Coordinator).
Through process hollowing, EagerBee deploys its core payload dllloader1x64.dll while maintaining memory residency. The malware implements temporal constraints through a hardcoded execution window check:-
0-6:00:23;6:00:23
(Operates Sunday-Saturday from 00:00-23:59 in observed campaigns)
EagerBee’s modular framework utilizes six core plugins managed by ssss.dll:
// Plugin Orchestrator Structure (Simplified)
struct PLUGIN_STRUCT {
DWORD plugin_id;
CHAR plugin_name;
FARPROC init_func;
FARPROC exec_func;
FARPROC unload_func;
};The six core plugins are File System Manipulator, Remote Access Manager, Network Enumerator, Service Controller, Process Explorer, Data Exfiltrator.
Attackers exploited the ProxyLogon vulnerability (CVE-2021-26855) in Microsoft Exchange servers to deploy web shells, with subsequent commands downloading EagerBee components.
The UAE Cyber Security Council advises critical mitigation steps to defend against cyber threats.
Organizations should patch Exchange servers to protect against CVE-2021-26855, actively hunt for modified service DLLs using file system checks, and monitor the Service Control Manager for unexpected configurations, such as unauthorized changes to MSDTC service credentials.
Implementing these measures helps strengthen system security and prevent exploitation by threat actors.
The campaign has impacted organizations in Saudi Arabia, UAE, and Qatar, with evidence of lateral movement through compromised admin credentials (net use \\TARGET_IP\C$ /user:[REDACTED]).
As of February 2025, no ransomware deployment has been observed, but the backdoor’s capabilities enable full system takeover.
Cybersecurity authorities urge immediate review of service configurations and memory analysis for detection, as EagerBee leaves minimal disk artifacts.
Indicators of Compromise (IoCs)
- C2 IPs: 45.90.58[.]103, 185.195.237[.]123
- Payload Hashes: SHA256: a3f2d…redacted (tsvipsrv.dll)
- Registry Keys: HKLM\SYSTEM\CurrentControlSet\Services\MSDTC\ImagePath
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Account Takeover Protection Tools in 2025")
