{ "id": "fca409c5-0271-4383-851c-36745378060d", "created_at": "2026-04-10T03:21:13.927939Z", "updated_at": "2026-04-10T03:22:16.960018Z", "deleted_at": null, "sha1_hash": "05dd5d9253a688a074d603b271d90766c2b2d91d", "title": "More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 490649, "plain_text": "More_eggs Malware Disguised as Resumes Targets Recruiters in\r\nPhishing Attack\r\nBy The Hacker News\r\nPublished: 2024-06-10 · Archived: 2026-04-10 02:17:37 UTC\r\nCybersecurity researchers have spotted a phishing attack distributing the More_eggs malware by masquerading it\r\nas a resume, a technique originally detected more than two years ago.\r\nThe attack, which was unsuccessful, targeted an unnamed company in the industrial services industry in May\r\n2024, Canadian cybersecurity firm eSentire disclosed last week.\r\n\"Specifically, the targeted individual was a recruiter that was deceived by the threat actor into thinking they were a\r\njob applicant and lured them to their website to download the loader,\" it said.\r\nMore_eggs, believed to be the work of a threat actor known as the Golden Chickens (aka Venom Spider), is a\r\nmodular backdoor that's capable of harvesting sensitive information. It's offered to other criminal actors under a\r\nMalware-as-a-Service (MaaS) model.\r\nLast year, eSentire unmasked the real-world identities of two individuals – Chuck from Montreal and Jack – who\r\nare said to be running the operation.\r\nThe latest attack chain entails the malicious actors responding to LinkedIn job postings with a link to a fake\r\nresume download site that results in the download of a malicious Windows Shortcut file (LNK).\r\nhttps://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html\r\nPage 1 of 4\n\nIt's worth noting that previous More_eggs activity has targeted professionals on LinkedIn with weaponized job\r\noffers to trick them into downloading the malware.\r\n\"Navigating to the same URL days later results in the individual's resume in plain HTML, with no indication of a\r\nredirect or download,\" eSentire noted.\r\nThe LNK file is then used to retrieve a malicious DLL by leveraging a legitimate Microsoft program called\r\nie4uinit.exe, after which the library is executed using regsvr32.exe to establish persistence, gather data about the\r\ninfected host, and drop additional payloads, including the JavaScript-based More_eggs backdoor.\r\n\"More_eggs campaigns are still active and their operators continue to use social engineering tactics such as posing\r\nto be job applicants who are looking to apply for a particular role, and luring victims (specifically recruiters) to\r\ndownload their malware,\" eSentire said.\r\n\"Additionally, campaigns like more_eggs, which use the MaaS offering appear to be sparse and selective in\r\ncomparison to typical malspam distribution networks.\"\r\nThe development comes as the cybersecurity firm also revealed details of a drive-by download campaign that\r\nemploys fake websites for the KMSPico Windows activator tool to distribute Vidar Stealer.\r\nhttps://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html\r\nPage 2 of 4\n\n\"The kmspico[.]ws site is hosted behind Cloudflare Turnstile and requires human input (entering a code) to\r\ndownload the final ZIP package,\" eSentire noted. \"These steps are unusual for a legitimate application download\r\npage and are done to hide the page and final payload from automated web crawlers.\"\r\nSimilar social engineering campaigns have also set up lookalike sites impersonating legitimate software like\r\nAdvanced IP Scanner to deploy Cobalt Strike, Trustwave SpiderLabs said last week.\r\nIt also follows the emergence of a new phishing kit called V3B that has been put to use to single out banking\r\ncustomers in the European Union with the goal of stealing credentials and one-time passwords (OTPs).\r\nThe kit, offered for $130-$450 per month through a Phishing-as-a-Service (PhaaS) model on the dark web and a\r\ndedicated Telegram channel, is said to have been active since March 2023. It's designed to support over 54 banks\r\nhttps://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html\r\nPage 3 of 4\n\nlocated in Austria, Belgium, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, and the Netherlands.\r\nThe most important aspect of V3B is that it features customized and localized templates to mimic various\r\nauthentication and verification processes common to online banking and e-commerce systems in the region.\r\nIt also comes with advanced capabilities to interact with victims in real-time and get their OTP and PhotoTAN\r\ncodes, as well as execute a QR code login jacking (aka QRLJacking) attack on services such as WhatsApp that\r\nallow sign-in via QR codes.\r\n\"They have since built a client base focused on targeting European financial institutions,\" Resecurity said.\r\n\"Currently, it is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with\r\nempty bank accounts.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html\r\nhttps://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html" ], "report_names": [ "moreeggs-malware-disguised-as-resumes.html" ], "threat_actors": [], "ts_created_at": 1775791273, "ts_updated_at": 1775791336, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/05dd5d9253a688a074d603b271d90766c2b2d91d.pdf", "text": "https://archive.orkl.eu/05dd5d9253a688a074d603b271d90766c2b2d91d.txt", "img": "https://archive.orkl.eu/05dd5d9253a688a074d603b271d90766c2b2d91d.jpg" } }