Venom Spider Strikes Again: Inside the Evolving Threat of More\_Eggs Malware Targeting HR Departments

By /

Listen to this Post

Featured Image

Introduction:

Cybercriminals are getting smarter, and one group is leading the charge with stealth and precision. The notorious Venom Spider group, also known as Golden Chickens, has escalated its cyber offensive by deploying the dangerous More_Eggs malware. This JavaScript-based backdoor, distributed via Malware-as-a-Service (MaaS), is being used in increasingly deceptive phishing campaigns, primarily targeting HR departments through fake job application emails. The tactics are intricate, the payloads are heavily obfuscated, and traditional antivirus solutions are having a hard time keeping up. Letā€™s explore how this malware operates and why it poses such a dangerous threat to corporate environments.

Deceptive Campaigns and Evasive Tactics: How More_Eggs Infiltrates Organizations

In the latest wave of cyberattacks, the Venom Spider group has been focusing its efforts on HR departments, hiding malicious payloads within emails that mimic genuine job applications. A recent case study involved a ZIP file named Sebastian Hall.zip, which included a decoy image and a malicious LNK (Windows shortcut) file. When clicked, the seemingly harmless file initiates a complex chain of infections that manages to bypass standard security filters.

The shortcut file (Sebastian Hall.lnk) appears to reference a normal Windows process (cmd.exe), but it’s cloaked with advanced command-line obfuscation. Using forensic tools like LECmd and Exiftool, researchers have managed to decode the hidden commands embedded within the file. The attack leverages More_Eggsā€™ scripting framework to execute a concealed batch script, which triggers Microsoft Word as a distraction, while quietly setting the stage for malware deployment.

One clever trick involves creating a fake configuration file (ieuinit.inf) in the userā€™s temporary directory. Although it looks like a standard Windows file, it’s filled with encoded instructions and URLs. The malware then copies the legitimate Windows binary ieuinit.exe to the temp directory and runs it with specific commands that help avoid detection. This technique, known as ā€œliving off the land,ā€ exploits trusted system components to mask malicious activity.

The ultimate goal? To pull in a heavily obfuscated JavaScript file from a command-and-control (C2) server. This script is armed with anti-debugging features and polymorphic code that constantly changes to evade analysis. Once active, the script can scan the system, steal data, or install more malwareā€”turning an unsuspecting HR employee into a gateway for full system compromise.

The More_Eggs malware family has previously been linked to criminal groups like FIN6 and Cobalt Group. These threat actors buy the malware through the MaaS model, making it easier to launch widespread campaigns without developing new tools. The current campaigns rely on a combination of obfuscation, trusted binaries, and deceptive email content, making detection and prevention a significant challenge.

Security experts recommend monitoring for unusual behavior, such as Word launching from cmd.exe, unexplained files in the temp folder, or unexpected activity from system tools like ieuinit.exe. They also emphasize the need for advanced email filters, endpoint monitoring, and user training to recognize suspicious files.

What Undercode Say:

The evolution of malware like More_Eggs is a perfect example of how cybercriminals are not just improving their toolsā€”theyā€™re improving their strategy. By combining social engineering with technical precision, groups like Venom Spider are weaponizing trust and routine to bypass even the most vigilant security defenses.

The primary vectorā€”phishing emails disguised as job applicationsā€”is especially clever. HR departments are often flooded with resumes, attachments, and candidate documents. Embedding a malicious LNK file in a ZIP alongside a realistic image ensures that curiosity or routine opens the door. Itā€™s a digital Trojan horse that rides in on normal business operations.

The heavy reliance on “living off the land” techniques is another red flag for defenders. By using legitimate Windows binaries like ieuinit.exe, attackers can avoid raising suspicion. It blurs the line between normal activity and intrusion. This is especially concerning for companies with limited visibility into endpoint behavior or those relying on outdated antivirus tools that canā€™t parse obfuscated JavaScript or dynamic payloads.

The modular and polymorphic nature of the More_Eggs payload means that each infection looks slightly different, even though the core mechanics are the same. This reduces the effectiveness of static signatures and increases the need for behavioral detection. Security teams must look at the chain of events: ZIP + LNK + suspicious process execution + temp activity. Thatā€™s the new signature.

Whatā€™s most alarming is that this isn’t targeted espionage or nation-state actionā€”itā€™s for-profit cybercrime. That means it’s scalable. If one campaign works, it can be sold, shared, and replicated across dozens of organizations.

Training users to spot unusual file types, enabling logging and alerting for suspicious process launches, and keeping forensic tools like LECmd on hand will be key in identifying infections early. This isn’t just about stopping malwareā€”it’s about recognizing the signs of a system being slowly turned into an attackerā€™s playground.

With more employees working remotely and relying heavily on email for communication, organizations are increasingly exposed. Phishing campaigns like this thrive in decentralized environments where security is often an afterthought. Businesses need to invest in proactive detection, rapid incident response, and threat intelligence sharing.

As long as

Fact Checker Results:

āœ… Confirmed Malware Type: JavaScript-based backdoor (More_Eggs)

āœ… Threat Actor: Verified association with Venom Spider / Golden Chickens
āœ… Delivery Method: Email phishing using ZIP + LNK file attachments šŸŽÆ

Prediction:

Given the increasing sophistication of phishing techniques and the success of More_Eggs in bypassing traditional defenses, we anticipate a surge in similar modular malware using the MaaS model. Venom Spider is likely to evolve their payload delivery further, incorporating AI-generated resumes, voice-based phishing, or even deepfake interviews to deceive HR systems. Organizations will need to bolster not just their technical defenses, but their internal education and response mechanisms to keep up with these evolving threats.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

šŸ’¬ Whatsapp | šŸ’¬ Telegram

Explore More: