Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims - Arctic Wolf Search Experienced a Breach? Contact Us Blog EN EN-GB ( United Kingdom ) FR ( Français ) DE ( Deutsch ) Dansk ( Danish ) Nederlands ( Dutch ) Suomi ( Finnish ) 日本語 ( Japanese ) Norsk ( Norwegian ) Svenska ( Swedish ) EN-AU ( Australia ) Español ( Spanish ) EN EN-GB ( United Kingdom ) FR ( Français ) DE ( Deutsch ) Dansk ( Danish ) Nederlands ( Dutch ) Suomi ( Finnish ) 日本語 ( Japanese ) Norsk ( Norwegian ) Svenska ( Swedish ) EN-AU ( Australia ) Español ( Spanish ) Platform Platform How It Works Delivering security operations outcomes. Aurora Superintelligence Platform Delivering AI outcomes you can trust. Aurora AI Leverage the power of scale and AI expertise. Platform Integrations Ecosystem integrations and technology partnerships. Agentic SOC Aurora Agentic SOC Partner with the world’s largest commercial agentic SOC. Concierge Delivery Model Tailored security expertise and guided risk mitigation. Arctic Wolf Security Teams Security experts proactively protecting you 24×7. Incident Response In Action Learn how our IR team stops attacks and swiftly restores your organization to pre-incident operations. Journey Security Journey Build a resilient business by embracing Security Operations. Cyber Resilience Assessment Map your security posture against industry standard frameworks. EN EN-GB ( United Kingdom ) FR ( Français ) DE ( Deutsch ) Dansk ( Danish ) Nederlands ( Dutch ) Suomi ( Finnish ) 日本語 ( Japanese ) Norsk ( Norwegian ) Svenska ( Swedish ) EN-AU ( Australia ) Español ( Spanish ) Ready to get started? Request a Demo Solutions Reduce Attack Frequency Incident360 Retainer Receive end-to-end IR coverage for one incident, no matter the incident type. Managed Security Awareness ® Engage and prepare employees to recognize and neutralize social engineering attacks. Managed Risk Discover, assess, and harden your environment against digital risks. Reduce Attack Severity Aurora Endpoint Security AI-driven prevention, detection, and response to stop endpoint threats before they disrupt your business. Managed Detection and Response​ Quickly detect, respond, and recover from advanced threats. Incident Response Recover quickly from cyber attacks and breaches, from threat containment to business restoration. Experienced a Breach? Transfer Risk Security Operations Warranty Stay covered at no cost with up to $3M in financial assistance for cybersecurity incidents. Cyber Insurance Increase the likelihood of insurability, and potentially lower your rates. Cyber JumpStart Access a complimentary suite of tools to reduce risk and improve insurability. Get Started View All Arctic Wolf Solutions Explore Arctic Wolf Bundles Calculate Your Security ROI EN EN-GB ( United Kingdom ) FR ( Français ) DE ( Deutsch ) Dansk ( Danish ) Nederlands ( Dutch ) Suomi ( Finnish ) 日本語 ( Japanese ) Norsk ( Norwegian ) Svenska ( Swedish ) EN-AU ( Australia ) Español ( Spanish ) Ready to get started? Request a Demo Why Arctic Wolf Why Arctic Wolf Industry Analysis Awards & Recognition Customer Perspectives Security Operations Warranty Arctic Wolf Labs Expertise by Topic Compliance Solutions Ransomware Explained Incident Response Timelines Ransomware Attack & Containment Business Email Compromise Expertise by Industry Financial Services Healthcare State & Local Government Manufacturing Legal View All EN EN-GB ( United Kingdom ) FR ( Français ) DE ( Deutsch ) Dansk ( Danish ) Nederlands ( Dutch ) Suomi ( Finnish ) 日本語 ( Japanese ) Norsk ( Norwegian ) Svenska ( Swedish ) EN-AU ( Australia ) Español ( Spanish ) Ready to get started? Request a Demo Resources Resource Center ROI Calculator Blog Case Studies Events Analyst Reports Webinars Podcasts Glossary Technical Videos View All Trending Resources 2025 Arctic Wolf Threat Report The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team. The Arctic Wolf State of Cybersecurity: 2025 Trends Report The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape. Aurora: A New Dawn For Cybersecurity Join Arctic Wolf on an interactive journey to discover a better path past the hazards of the modern threat landscape. View All Resources Security Bulletins April 6, 2026 CVE-2026-35616: Fortinet Releases Hotfix for Critical Exploited Vulnerability in FortiClient EMS April 6, 2026 CVE-2026-2699 & CVE-2026-2701: Progress ShareFile Storage Zones Controller Pre-Auth RCE Chain March 31, 2026 Supply Chain Attack Impacts Widely Used Axios npm Package VIEW ALL View All Bulletins EN EN-GB ( United Kingdom ) FR ( Français ) DE ( Deutsch ) Dansk ( Danish ) Nederlands ( Dutch ) Suomi ( Finnish ) 日本語 ( Japanese ) Norsk ( Norwegian ) Svenska ( Swedish ) EN-AU ( Australia ) Español ( Spanish ) Ready to get started? Request a Demo Partners Partners Solution Providers Helping Solution Providers scale their business with a comprehensive portfolio of products and services. Cyber Insurance Providers Arctic Wolf provides the Insurance Partner Program for Brokers and Carriers to support them within the Cyber JumpStart portal. Technology Alliance Partners Ecosystem integrations and technology partnerships. Managed Service Providers Grow your business and solve your customers’ cybersecurity challenges with industry-leading turnkey security operations. OEM Solutions Arctic Wolf OEM Solutions enable ISVs, MSSPs, U.S. Federal Agencies, and security companies. Become a Partner EN EN-GB ( United Kingdom ) FR ( Français ) DE ( Deutsch ) Dansk ( Danish ) Nederlands ( Dutch ) Suomi ( Finnish ) 日本語 ( Japanese ) Norsk ( Norwegian ) Svenska ( Swedish ) EN-AU ( Australia ) Español ( Spanish ) Ready to get started? Request a Demo Company Company About Us Contact Us Leadership Customers FAQ Careers Working at Arctic Wolf Open Jobs Our Values Pack Impact Press Newsroom Press Releases Brand Partnerships BWT Alpine Formula One Team Meyer Shank Racing Minnesota Wild Alabama Crimson Tide EN EN-GB ( United Kingdom ) FR ( Français ) DE ( Deutsch ) Dansk ( Danish ) Nederlands ( Dutch ) Suomi ( Finnish ) 日本語 ( Japanese ) Norsk ( Norwegian ) Svenska ( Swedish ) EN-AU ( Australia ) Español ( Spanish ) Ready to get started? Request a Demo EXPERIENCED A BREACH? REQUEST A DEMO Back to blog Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims Arctic Wolf Labs discovered a new campaign targeting corporate HR departments with fake resumes that drop a malicious backdoor called More_eggs onto their devices. May 2, 2025 by Arctic Wolf Labs Threat Research 6 min read In this article: Select --> Takeaways Arctic Wolf ® observed a recent campaign by the financially motivated threat group Venom Spider targeting hiring managers with spear-phishing emails. The group abuses legitimate messaging services and job platforms to apply for real jobs using fake malicious resumes that drop a backdoor called More_eggs . The backdoor can be used for a wide scope of malicious activities, from credential theft to stealing sensitive customer payment data, intellectual property or trade secrets. Our research found several upgrades that the threat actor made to this malware to infect victims more effectively, and to evade automated analysis techniques like sandboxing. Organizations should train all employees to recognize the red flags of a phishing attack, particularly those working in departments that must regularly open email attachments as part of their daily job duties, for example, Human Resources. Summary As part of our ongoing tracking of the threat actor TA4557 (also known as Venom Spider), the Arctic Wolf® Labs team discovered a new campaign targeting corporate human resources departments and recruiters. The threat group uses phishing techniques to drop an enhanced version of a potent backdoor called More_eggs onto victim devices . The group has historically targeted industry sectors that use online payment portals or e-commerce sites to do business, which in the past has included the retail, entertainment and pharmacy industries. This change is a tactical step up in terms of targeting, as it puts almost every industry and organization in the group’s crosshairs due to the one thing they all have in common: the need to hire new employees. In this report, we’ll provide a technical analysis of the campaign, indicators of compromise (IOCs), tips for remediation, and activity detection rules to counter this threat. MITRE ATT&CK® Highlights Initial Access T1566.002 Execution T1204.002, T1059.003, T1059.007 Persistence T1547.001 Defense Evasion T1497.003, T1027.010, T1027.013, T1027.01 4 Command-and-Control T1105, T1071.001, T1573.001 Discovery T1518.001 , T1016.001 Weaponization and Technical Overview Weapons Obfuscated JavaScript files, Obfuscated .LNK files, PE x86 DLLs Attack Vector Spear-phishing Network Infrastructure DDNS Background Venom Spider is a financially motivated threat group that has been targeting organizations seeking to fill job vacancies via legitimate third-party sites such as LinkedIn for the last couple of years. Since the advent of COVID, the group has steadily refined their tactics, techniques and procedures (TTPs) to embrace the online hiring boom, targeting the one department in every company that has to open attachments from unknown senders as an everyday part of their job: Human Resources. Since at least October 2023, the threat group has escalated this campaign to directly target recruiters and HR managers with weaponized phishing links purportedly from job seekers, which in fact lead to malicious websites hosting poisoned downloads disguised as fake resumes. The payload used in the infection chain of this recent activity is the group’s notorious More_eggs malware, a backdoor capable of harvesting sensitive information and carrying out several additional tasks. We discovered and analyzed a new campaign by Venom Spider aimed at spreading this backdoor. Our researchers found several upgrades that the threat actor made to this malware to infect victims more effectively, and to evade automated analysis techniques like sandboxing. Key Findings Venom Spider continues to use job seekers as a lure targeting HR departments and corporate recruiters in its phishing campaigns. These phishing campaigns utilize the modular backdoor known as More_eggs, which generates malicious payloads crafted for execution exclusively on the individual systems under attack. Server polymorphism is used to deliver these payloads to the victim’s system. We reveal new functionality that we refer to as the More_eggs_Dropper library. This generates malicious JavaScript code polymorphically, featuring several techniques to evade analysis. Victimology Historically, the money-motivated Venom Spider has focused on U.S-based e-commerce companies or those that use online payment systems, including organizations in industries such as accounting, legal firms, workforce solutions, insurance, energy providers, food suppliers and building suppliers. More recently, the group has pivoted to target the HR departments of various companies using social engineering techniques such as phishing, for the sake of credential theft and financial gain. The recruiters and hiring managers who work in HR departments are often considered to be the weak point in an organization by attackers, as the very nature of their job means that they must regularly open email attachments (e.g.: resumes and cover letters) emailed to them from external and unknown sources, including job candidates and hiring agencies. Attack Vector The first stage of execution in this Venom Spider campaign is a spear phishing email sent directly to the victim corporate recruiter or hiring manager. The message contains a link purportedly for the manager to download the job seeker’s resume from an external site. If the manager clicks the link, they are taken to an actor-controlled website from which the recruiter can download a (decoy) resume. On this site, the human user must check a CAPTCHA box, a precaution that helps the site bypass automatic scanners. Figure 1: Malicious website offering a fake resume. If the victim successfully passes the CAPTCHA test, a zip file is downloaded to their device which the recruiter is lead to believe is the candidate’s resume. Instead, the zip file contains a malicious Windows shortcut ( .lnk ) file as well as an image file. The .lnk file is the payload for the first stage of the attack chain, while the g.jpg image file is just a distraction. The threat actor’s infrastructure that issues the .lnk file supports server polymorphism. What that means is that a new malicious .lnk file will be generated for each individual download, which changes the code obfuscation and file size each time. Figure 2: Contents of the zip file “Ryan Berardi.zip” ( g.jpg and Ryan Berardy.lnk ). The .lnk file contains an obfuscated .bat script, which performs several actions when the .lnk file is opened. We managed to obtain several LNK files that had different file sizes (11500-11900 bytes) that were generated on the server side. These malicious files all had the same functionality, but they had completely different code obfuscation. Figure 3: Obfuscated Windows Command Shell script in the downloaded LNK file. The script creates a file called %temp%\ieuinit.inf at the following path and writes obfuscated commands to it. Figure 4: Contents of the ieuinit.inf file. The script executes the Windows batch file code below: @echo off start "" "%ProgramFiles%\Windows NT\Accessories\wordpad.exe" echo [version] > "%temp%\ieuinit.inf" echo Signature=$CHICAGO$ >> "%temp%\ieuinit.inf" echo [DefaultInstall] >> "%temp%\ieuinit.inf" cacls "%windir%\system32\ie4uinit.exe" /Y /C /Q When this code is executed, the Microsoft WordPad application is automatically launched in a ploy to distract the user, who is meant to believe the promised resume is being opened. The batch script will then covertly launch the legitimate Windows utility %windir%\system32\ie4uinit.exe , which in turn executes the commands from the file ieuinit.inf . As configured, the contents of this .inf file will trigger execution of commands within the malicious %temp%\ieuinit.inf file. This is a living-off-the-land (LOTL) technique that has been around for a while. The essence of this technique is to use a legitimate application – in this case, ie4uinit.exe – to execute commands and run JavaScript code. Venom Spider has been using the technique of running JavaScript code with different variations for a long time. In this instance, the ieuinit.inf file contains the URL of the next step in the attack chain, hxxp://doefstf[.]ryanberardi[.]com/ikskck . A large and heavily obfuscated JavaScript payload is embedded within the HTML code hosted at this location. Figure 5: Obfuscated JavaScript code that contains encrypted data ( ikskck ). Introducing the More_eggs_Dropper Library After running the previous stage received from the remote malicious server, the JavaScript code creates an executable library in the following location: C:\Users\%username%\AppData\Roaming\Adobe\d{5}.dll In this article, we will refer to this library as More_eggs_Dropper. SHA-256 F7A405795F11421F0996BE0D0A12DA743CC5AAF65F79E0B063BE6965C8FB8016 MD5 EC103191C61E4C5E55282F4FFB188156 File Name 38754.dll (The file name will be randomly generated) File Size 317440 Compilation Stamp Tue Apr 08 14:30:58 2025 File Type x86 PE DLL More_eggs_Dropper is started on the system with the following command: regsvr32 /s /n /i:Ferc "C:\Users\%username%\AppData\Roaming\Adobe\d{5}.dll" Th e More_e ggs_Dropper executable library i s complex , utilizing obfuscated code that generates JavaScript code po lym orphically . Execut i on of the library is time-delayed to evade sandboxing and analysis b y rese archers . When it is executed , i t creates several files in the followin g directories : C:\Users\%username%\AppData\Roaming\Adobe\d{9}.txt # JavaScript launcher C:\Users\%username%\AppData\Roaming\Adobe\hex{17}.txt # JavaScript Payload C:\Users\%username%\AppData\Roaming\Adobe\msxsl.exe More_eggs_Dropper creates a legitimate Windows msxsl.exe executable to run XML files that may also contain JavaScript code. This technique is known to have been used by Venom Spider in previous campaigns. The second file that creates More_eggs_Dropper is a small JavaScript that executes the launch of the main payload located within the JavaScript Payload. After running these scripts, More_eggs_Dropper is quietly removed from the system. Figure 6: Deobfuscated code of JavaScript launcher. The JavaScript payload is the main malicious code in this attack chain. The code of this JavaScript is very similar to the loader that is also used by Venom Spider called TerraLoader. The threat actor improved this loader and added more string obfuscation and code encryption. More_eggs_Dropper cleverly generates a new JavaScript payload each time it runs. The JavaScript executed on victim devices is highly obfuscated, and contains two blocks of encrypted data. This data contains the JavaScript code used in the next layer. Decryption of the first JavaScript layer is performed by a hard-coded key (10-20 bytes in size) combined with an additional three bytes, which are obtained by the script through brute force . The threat actor applies this technique for the purpose of evading analysis, which is feasible to the threat actor considering that the last three bytes of the key typically take several minutes to be found through brute force. The code used for encryption is a variation of RC4 . Payload Decryption Here is an example of a decryption key for the first encrypted payload: WJxQNWvJVK866 As previously noted, the last three bytes in this string are obtained through brute force on infected devices. During JavaScript generation, More_eggs_Dropper obtains the computer name and %PROCESSOR_IDENTIFER%. It then adds this data to an already known key and uses it as a decryption key for the second layer payload. For example: WJxQNWvJVK866Name-PCIntel64 Family 6 Model 142 Stepping 10, GenuineIntel Th e technique u sed to generate this decryption key complicat es analysis of this attack , preventing automatic decryption of the pa yload when executed in a sandbox environment . In practice, it is impossible to obtain the final stage of More_ e ggs without having encryption keys that are specifically generated for the devices being targeted . Figure 7: Venom Spider’s JavaScript dropper payload. During our analysis, we were able to obtain a final payload of More_eggs, which contained new command-and-control (C2) commands to interact with the malicious server. We were also able to identify the C2 configuration used in this campaign: hxxps://tool[.]municipiodechepo[.]org/id/243149 After launching the More_eggs payload, the backdoor collects information about the victim’s system and sends it to a remote server for further processing by the threat actor. OS Installation Date Hash Converted to hex ASCII Antivirus (AV) List AV details are encoded as letters (i.e., a, b, c, etc.). The names of running processes in the system are converted to crc32 hashes, and they are compared to 53 hashes. Most of these hashes have been retrieved. See Appendix for further details. Username 0 if invalid. Computer Name 0 if invalid. OS Version e.g., 10.0. Product Type 1 for WinNT, 3 for others. OS Build Retrieved as Build (e.g., 19045). Architecture 1 for 64-bit, 0 for 32-bit. Local IP Local IP address is collected. Bot Version “BV = 6.7a” Hardcoded in JavaScript. Next, the backdoor waits for a response from the server, establishing a connection every three minutes. The following C2 commands are supported by the backdoor: C2 command Description d&exec Downloads and runs the PE file that is downloaded via a URL provided from a remote server. gtfo Removes all traces of infection including files and registry entries. more_onion Runs the fCore.txt file through msxsl.exe. The fCore.txt file contains additional JavaScript. via_c The С 2 command runs cmd.exe with the command received from the remote server. more_time Records the result of commands executed in cmd.exe, encodes them, and then sends them back to the threat actor’s remote server. Based on the C2 commands contained in the backdoor, we assess that threat actors using this backdoor have the ability to run additional JavaScript code or executable files on the victim’s system. Figure 8: The configuration of the More_eggs bot specified at the beginning of the file. Network Infrastructure The network infrastructure utilized by Venom Spider has become disparate and well obfuscated in recent years. In previous More_eggs campaigns, the infrastructure could be tracked to some degree by whois information and hosting providers. This current campaign is utilizing cloud hosted infrastructure and anonymous domain registration. The threat group has taken the time to use multi-level URLs for C2 communication to avoid scanners like Censys and Shodan. The actors, while using domains that were previously registered, also utilize only subdomains to further impede automated tracking efforts. In the current campaign infrastructure, both municipiodechepo[.]org and ryanberardi[.]com have current registrant organizations of “Domains By Proxy, LLC.” Both domains are hosted on Amazon. While the phishing subdomain is still hosted on the Amazon cloud, the malicious C2 subdomain is hosted on a separate service through GoDaddy, at the IP address 208[.]109.231[.]95 . Domain Description doefstf[.]ryanberardi[.]com Phishing/Delivery dtde[.]ryanberardi[.]com Phishing/Delivery tool[.]municipiodechepo[.]org C2 Attack Flow Figure 9: Venom Spider attack flow (click to enlarge). Remediation Due to Venom Spider’s use of social engineering, including the targeting of corporate HR and other hiring staff with realistic-looking job application phishing emails and actor-controlled “resume” websites, organizations that make use of third-party job posting websites (including sites like LinkedIn, Indeed.com and similar) should regularly train employees on identifying and countering spear phishing attacks . Employees who work in vulnerable departments such as HR and Recruitment should receive additional training that teaches them to always be extra-wary of attachments that are LNK, ISO, or VBS files. These file-types are often sent as zip files to bypass email filters. Employees should be taught to routinely inspect attachment files by right clicking the file and selecting “Properties” (on Windows) or “Get Info” (on Mac) before opening them. In addition, organizations can protect themselves by exercising the following measures: Consider the use of Secure Email Gateway solutions to help proactively filter out malicious emails. Implement an Endpoint Detection and Response (EDR) solution such as Arctic Wolf® Aurora™ Endpoint Security. Ensure all employees throughout the company are aware of good security hygiene practices, including awareness of social engineering. Add or enable a phishing report button in your organization’s email solution, to empower employees to immediately report suspected phishing emails to your SOC or IT security team. Consider conducting regular internal phishing tests to reinforce security training. Block identified command-and-control infrastructure used in this campaign. Deploy detection rules for More_eggs components. Carefully review logs for indicators of compromise. How Arctic Wolf Protects its Customers Arctic Wolf is committed to ending cyber risk with its customers, and when active campaigns are identified we move quickly to protect our customers. Arctic Wolf Labs has leveraged threat intelligence around Venom Spider activity to implement new detections in the Arctic Wolf® Aurora™ Platform to protect customers. As we discover new information, we will enhance our detections to account for additional IOCs and techniques leveraged by this threat actor. Conclusion Our recent findings suggest that Venom Spider is using the More_eggs backdoor campaign to target Human Resources departments and is highly focused on the long-term survivability of its campaigns. The threat actor has demonstrated a continued investment in the development and maintenance of its backdoor infrastructure over time. This is evidenced by the use of sophisticated code obfuscation and code encryption, which improve its stealth and evasiveness against defenders. Appendix Indicators of Compromise (IOCs) Weapon: MD5: SHA-256: More_eggs_Dropper ec103191c61e4c5e55282f4ffb188156 f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016 Weapon: MD5: SHA-256: 2nd stage of infection filename: ikskck.htm c16aa3276e4bcbbe212d5182de12c2b7 bd49b2db669f920d96008047a81e847ba5c2fd12f55cfcc0bb2b11f475cdf76f Weapon: MD5: SHA-256: More_eggs_JS_BackDoor ebb5fb96bf2d8da2d9f0f6577766b9f1 2fef6c59fbf16504db9790fcc6759938e2886148fc8acab84dbd4f1292875c6c Weapon: MD5: SHA-256: More_eggs_JS_BackDoor 2da2f53ffd9969aa8004d0e1060d2ed1 0af266246c905431e9982deab4ad38aaa63d33a725ff7f7675eb23dd75ca4d83 Weapon: MD5: SHA-256: More_Eggs_JS_BackDoor 17158538b95777541d90754744f41f58 f873352564a6bd6bd162f07eb9f7a137671054f7ef6e71d89a1398fb237c7a7b Weapon: MD5: SHA-256: More_Eggs_JS_BackDoor 46f142198eeeadc30c0b4ddfbf0b3ffd 184788267738dfa09c82462821b1363dbec1191d843da5b7392ee3add19b06fb Weapon: MD5: SHA-256: More_Eggs_JS_BackDoor b1e8602e283bbbdf52df642dd460a2a2 ccb05ca9250093479a6a23c0c4d2c587c843974f229929cd3a8acd109424700d File Path: C:\Users\%username%\AppData\Roaming\Adobe\ d{9}.txt C:\Users\%username%\AppData\Roaming\Adobe\ hex{17}.txt C:\Users\%username%\AppData\Roaming\Adobe\msxsl.exe C:\Users\%username%\AppData\Roaming\Adobe\ d{5}.dll l C:\Users\%username%\AppData\Roaming\Adobe\ fCore.txt Network Indicators: hxxp://doefstf[.]ryanberardi[.]com/ikskck hxxp://doefstf[.]ryanberardi[.]com hxxps://tool[.]municipiodechepo[.]org/id/243149 hxxp://dtde[.]ryanberardi[.]com hxxp://dtde[.]ryanberardi[.]com/ikskck hxxps://tool[.]municipiodechepo[.]org/id/243149 hxxps://beta[.]w3[.]org[.]kz/release/info hxxps://host[.]moresecurity[.]kz/host/info hxxps://developer[.]master[.]org[.]kz/api/v1 hxxps://ssl[.]gstatic[.]kz/ui/v2 hxxps://report[.]monicabellucci[.]kz/295693495/info hxxps://cast[.]voxcdn[.]kz/yui/yui-min[.]js hxxps://blog[.]jasonlees[.]com/latestnews/info hxxps://contactlistsagregator[.]com/j2378745678674623/ajax[.]php hxxps://onlinemail[.]kz/version44/info hxxps://stats[.]wp[.]org[.]kz/license[.]txt hxxps://api[.]incapdns[.]kz/v1 List of Targeted Antivirus Processes This section contains a list of processes the More_eggs backdoor looks for on victim devices. CRC32 hashes are given in decimal format, just as they are found in the backdoor. All processes are components of various antivirus applications. The list below shows the names of the processes we were able to decipher from the backdoor. Process Name CRC32 vastsvc . exe 184741780 msmpeng . exe 4167611121 ns . exe 3917603449 ccsvchst . exe 3237881663 mcshield . exe 800732934 pccntmon . exe 4056687588 mbamservice.exe 2432672291 savservice.exe 2928704260 avguard.exe 242152363 cmdagent.exe 3314468719 psanhost.exe 3103805340 fshoster32.exe 2447720335 a2service.exe 3576979024 sbamsvc.exe 3540381638 nis.exe 61053860 nst.exe 332293705 bdss.exe 1864254150 ekrn.exe 3233790880 nsbu.exe 3707949399 wrsa.exe 1164644511 avp.exe 1087054291 vsserv.exe 3457522114 tmntsrv.exe 2229870333 clamtray.exe 1570161171 dwengine.exe 1460978182 avgrsx.exe 1863628361 gzserv.exe 2866464079 ifgbxm.exe 1964687411 mctray.exe 305523985 Detections Yara Rules rule More_eggs_Dropper { meta: description = "Rule to detect More_eggs_Dropper" last_modified = "2025-04-24" author = "The Arctic Wolf Labs team" version = "1.0" sha256 = "f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016" strings: $a1 = "Authorities32" ascii wide $a2 = "Guards128" ascii wide $a3 = "Implications256" ascii wide $a4 = "Monster32" ascii wide $a5 = "Sphere256" ascii wide condition: uint16(0) == 0x5A4D and filesize < 1MB and ((all of ($a*))) } rule More_eggs_JS_BackDoor { meta: description = "Rule to detect More_eggs_JavaScript" last_modified = "2025-04-24" author = "The Arctic Wolf Labs team" version = "1.0" strings: $a1 = "var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);" ascii wide $a2 = "function hit_Gate(URL, POSTdata, gResponse, method)" ascii wide $a3 = "function dExec(zURL, myKey, xPE, xEntryP)" ascii wide $a4 = "var xCrypted = zzzz4(Rkey + keynow, not_unique) + keynow;" ascii wide $a5 = "tmp = 3988292384 ^ tmp >>> 1;" $a6 = "cNow !== 3377271179 && cNow !== 3106260013 &&" condition: filesize < 1MB and (2 of ($a*)) } Detailed MITRE ATT&CK® MAPPING Tactic Technique Sub-Technique Name / Context Initial Access T1566.002 Spear-phishing Link: The user receives a spear-phishing link as an attack vector. Execution T1204.002 User Execution – Malicious File: To run the malicious code, the user runs a .lnk file. Execution T1059.003 Windows Command Shell: After running the .lnk file, it launches cmd.exe with run commands. Execution T1059.007 JavaScript: A threat actor runs a JavaScript execution chain. Persistence T1547.001 Registry Run Keys / Startup Folder: By modifying the registry, the threat actor achieves a permanent presence on the system. Defense Evasion T1497.003 Time Based Evasion: JavaScript launcher and More_eggs_Dropper use evasion based on meaningless code execution to maximize runtime. Defense Evasion T1027.010 Command Obfuscation: All malicious JavaScript files use command obfuscation. Defense Evasion T1027.013 Encrypted/Encoded File: More_eggs_Dropper encrypts part of the code during payload generation using one of the RC4 encryption types. JavaScript launcher uses one of the RC4 encryption types to decrypt JavaScript code at runtime. Defense Evasion T1027.01 4 Polymorphic Code: More_eggs_Dropper generates polymorphic JavaScript launcher code. Each time it is generated, the code will always be different in size and is modified. In addition to this, each time the first stage of the .lnk file is loaded, the code will also be modified on a case-by-case basis. Command-and-Control T1105 Ingress Tool Transfer: The threat actor transfers additional tools to the compromised system, such as JavaScript and executable files. Command-and-Control T1071.001 Web Protocols: The threat actor uses Web Protocols to communicate with the victim system. Command-and-Control T1573.001 Symmetric Cryptography: The More_eggs Backdoor uses the RC4 symmetric encryption algorithm to encrypt data before sending it. The encryption key is hardcoded in the code. Discovery T1518.001 Security Software Discovery: More_eggs looks for security program processes on the victim’s system, an d sends that information to the threat agent’s server. Discovery T1016.001 Internet Connection Discovery: More_eggs periodically connects to a neutral website to determine whether the compromised system is connected to the internet or not. About Arctic Wolf Labs Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large. Popular Topics Cyber Attacks and Breaches Cyber Insurance Endpoint Security Incident Response Managed Detection and Response Regulatory Compliance Security Awareness Security Bulletins Technical Briefs Threat Research Vulnerability Management View all posts Share this post: What to read next Back to Blog 23 min read Threat Research The AI Malware Surge: Behavior, Attribution, and Defensive Readiness March 24, 2026 View Post 37 min read Threat Research SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh March 2, 2026 View Post 18 min read Threat Research Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine November 25, 2025 View Post 37 min read Threat Research UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities October 30, 2025 View Post GLOBAL HEADQUARTERS Arctic Wolf Networks 8939 Columbine Rd Eden Prairie, MN 55347 1.888.272.8429 𝕏 REQUEST A DEMO Solutions Managed Detection and Response Cloud Detection and Response Managed Risk Cloud Security Posture Management Managed Security Awareness Incident Response Aurora Endpoint Security Company Contact Us Careers Leadership Newsroom Partners Why Partner with Arctic Wolf? Resources Blog Case Studies Webinars Events Analyst Reports Newsletter © 2026 Arctic Wolf Networks Inc. All Rights Reserved. Privacy Notice Terms of Use Cookie Policy Accessibility Statement Information Security Sustainability Statement Cookies Settings