{ "id": "2ada64fc-c2bd-4d68-b22a-4d7b0c09c7e3", "created_at": "2026-04-06T00:17:58.500568Z", "updated_at": "2026-04-10T13:12:51.447033Z", "deleted_at": null, "sha1_hash": "18fd1812318e184807eb15bc8e971217a1fc0ab6", "title": "Golden Chickens: Uncovering a Malware-as-a-Service (MaaS) Provider", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 422853, "plain_text": "Golden Chickens: Uncovering a Malware-as-a-Service (MaaS)\r\nProvider\r\nBy QuoINT\r\nPublished: 2018-11-29 · Archived: 2026-04-05 22:39:02 UTC\r\n(Note: This article was initially written by the QuoINT Team as part of QuoScient GmbH. Since the foundation of\r\nQuoIntelligence in March 2020, this article was transferred to this website on 21 April 2020. \r\nExecutive Summary\r\nOver the last few years, QuoIntelligence (QuoINT) has tracked activities attributed to the Cobalt group, and\r\nobserved their notable evolution and continuously improving Tactics, Techniques, and Procedures (TTPs).\r\nSince September 2018, we have identified multiple attacks that share similar TTPs used by Cobalt during a\r\nspecific timeframe but exhibit enough differenced to attribute them to separate threat actors. This blog post\r\nprovides an overview on a specific Malware-as-a-Service (MaaS) used within the e-Crime threat actor landscape.\r\nIt also provides details on two different threat actors using the MaaS that fall under the umbrella of a family we\r\ndubbed Golden Chickens: GC01 and GC02. The success of Golden Chickens (GC) operations heavily relies on a\r\nspecific MaaS sold in underground forums, which provides customers with the malwares and the infrastructure\r\nthey need for targeted attacks. The service owner provides the MaaS through the use of the following toolkits:\r\nVenom and Taurus building kits for crafting documents used to deliver the attack, and the more_eggs (aka Terra\r\nLoader, SpicyOmelette) backdoor for taking full control of the infected computer.\r\nBetween November 2017 and July 2018, we attributed to GC02 five spear phishing waves which indiscriminately\r\ntargeted companies and organizations in at least India and the United States. As a result of using the same MaaS\r\nprovider, GC02 and Cobalt group’s TTPs and infrastructure strongly overlapped in May 2018, making it hard at\r\nfirst glance to differentiate the two threat actors.\r\nBetween August and October 2018, we attributed to GC01 nine spear phishing waves targeting multiple\r\ncompanies and organizations operating in the financial industry. Throughout the campaign, we observed the\r\ninstallation of multiple Remote Access Tool (RAT) variations as the result of a successfully compromised victim\r\nmachine.\r\nBy highlighting the multi-layer infrastructure adopted by Cobalt and Golden Chickens, as well as the multi-client\r\nbusiness model of the MaaS behind it, we emphasize the difficulty of performing reliable attribution for\r\ncyberattacks, and the high uncertainty that analysts are confronted with during the process. To note, other\r\nresearchers reported the same Indicators of Compromise (IoC) and C2 infrastructure covered in this blog post. We\r\nhope that our attribution will clarify the current threat landscape and make the covered threat actor profiles more\r\naccurate.\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 1 of 12\n\nThe following blog post is a preview of the Intelligence Assessment we will disseminate to our clients, partners,\r\nand vetted requesters.\r\nIntroduction\r\nCyber attribution is becoming increasingly challenging as threat actors frequently use false flag techniques and\r\nshared infrastructure to increase the resiliency of their operations against takedowns and law enforcement\r\ninvestigations. Especially for e-Crime actors, it is a common practice to rent the same bulletproof infrastructure or\r\nbotnet used by other e-Crime groups, resulting in the increased likelihood for an overlap of C2 servers. In the last\r\nyears, we have noted a tendency of threat actors outsourcing even more parts of the kill-chain to third parties by\r\nusing/offering MaaS solutions. Figure 1 shows an example of such a network where multiple stakeholders are\r\ninvolved.\r\nFigure 1 — Example of attribution complexity\r\nA threat actor can buy several malware from multiple developers, rent the C2 infrastructure from various\r\nproviders, and deliver the attack vector to victims from yet another provider. This compartmentalized business\r\nrelationship guarantees the threat actor an elevated level of privacy and deniability since the involved stakeholders\r\nrarely know the full scale of the operation. On the other hand, those providers offering MaaS solutions simplify\r\nthe entire process through One Stop Shop solutions, where one single entity sells and rents both the malware and\r\nthe infrastructure needed for an attack.\r\nWhen profiling e-Crime threat actors, we always deal with the hypothesis that the malware and C2 infrastructure\r\nwe are analyzing do not belong to the threat actor per se, but rather to the used MaaS provider. When we confirm\r\nthe use of a MaaS, the attribution process focuses on how and when threat actors used it, and who they targeted.\r\nBy using such an approach, we were able to differentiate past spear phishing campaigns mistakenly attributed to\r\nthe Cobalt group and characterize two distinct threat actors — GC01 and GC02 — and the MaaS used by them to\r\ncarry out their attacks.\r\nGolden Chickens’ MaaS\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 2 of 12\n\nFrom November 2017 to October 2018, we attributed 14 campaigns to the Golden Chickens (GC) threat actors\r\nthat used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the\r\nProvider Operator”). The following section explains the operational model of the Provider, and the toolkits used\r\nto deliver the requested service to paying customers.\r\nOperational workflow\r\nA typical business case between a threat actor and the Provider is shown in Figure 2 and detailed below.\r\nFigure 2 –The Provider operational workflow\r\n1. Threat actors buy the service offered and then give the Provider Operator the final payload to be executed on\r\nthe infected machine. Since we have observed the same threat actor using the Provider to different extents, we\r\nassess that the Provider Operator’s offering is modular.\r\n2. The Provider Operator builds the malicious document (maldoc), the backdoor, and prepares the server\r\ninfrastructure needed for the execution of the attack. Next, the backdoor is stored on a webserver and the full URL\r\npath of it is embedded into the maldoc. Lastly, the C2 panel that the backdoor will beacon to is set up.\r\n3. The Provider returns the maldoc to the threat actor. Although not confirmed, the Provider Operator also likely\r\ndelivers the access details for the backdoor’s C2 web panel.\r\n4. The threat actor disseminates (directly or through the use of a botnet) the maldoc via spear phishing.\r\n5. Once the maldoc is executed on a victim’s machine, it will retrieve and execute the backdoor from the\r\nhardcoded web location.\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 3 of 12\n\n6. The backdoor beacons to the hardcoded C2 on a regular basis and executes the commands it receives.\r\n7. Finally, the threat actor (or the Provider) will review the system details of the infected machine reported by the\r\nbackdoor, and eventually deploy the final payload.\r\nBuilding Kits Used\r\nThe Provider relies on the use of specific malicious artifacts advertised in the underground since 2017. Those\r\nartifacts are generated by three building kits and offered to paying customers with the supporting C2\r\ninfrastructure.\r\nVenomKit. VenomKit is a tool that threat actors can use to craft malicious Rich Text File (RTF) documents that\r\nexploit multiple vulnerabilities, including CVE-2017–11882, CVE-2018–0802, and CVE-2018–8174. Successful\r\nexploitation leads to batch and scriptlet files being dropped and executed in order to download the second stage\r\npayload from a Web resource. The AV detection rate for RTF documents generated by VenomKit is moderate to\r\nhigh due to the exploitation of known vulnerabilities.\r\nTaurus Builder Kit. The Taurus Builder Kit generates Microsoft Word documents weaponized with malicious\r\nVisual Basic for Application (VBA) macro code. Unlike the malicious RTFs created by VenomKit, the\r\nweaponized Word documents require user interaction in order to enable the contained malicious code. On the\r\nother hand, documents generated by this kit are more resilient to AV detection due to the use of multiple layers of\r\nobfuscation in the VBA code.\r\nOnce the VBA code is enabled by the user, documents created by Taurus Builder Kit will download and execute\r\nadditional malware by using multiple legit Windows tools in order to bypass AppLocker.\r\nMore_Eggs Backdoor. More_eggs is a JavaScript (JS) backdoor capable of beaconing to a fixed C2 server and\r\nexecuting additional payloads downloaded from an external Web resource. The backdoor is delivered encrypted\r\ninside of another JavaScript, with changing function names, variable names, and encryption keys. Overall, the\r\ntechnique used allows the Provider Operator to guarantee its clients a low AV detection rate. The more_eggs\r\nbuilding kit allows customization of its multiple variables, for values such as the C2 server, beaconing and\r\nsleeping time, and part of the cryptographic key used for ciphering the C2 communications. Figure 3 shows an\r\nexample of more_eggs configuration that includes the version number BV, C2 address Gate, and part of the\r\nciphering key used to encrypt C2 communications, Rkey.\r\nFigure 3– Excerpt of more_eggs backdoor configured variables\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 4 of 12\n\nThreat actors can ask for the customization of the backdoor by requesting the addition of specific variables or\r\nentire functionalities. For instance, more_eggs samples attributed to GC02 contained the extra variable\r\nResearchers, differently from the ones attributed to GC01 or Cobalt Group.\r\nAlthough not confirmed, it is reasonable to assume that multiple more_eggs used by different threat actors cannot\r\nshare the same Gate value due to the derived complication that would imply for the backend to understand which\r\nC2 communications belong to which threat actor using the infrastructure. However, the same C2 server can host\r\nmultiple gates by using different web pages; hence, multiple threat actors might use distinct gates hosted on the\r\nsame domain name. Additionally, the Rkey variable can be considered as something that is randomly generated\r\nevery time a new sample is created for a customer (i.e. the relationship between the threat actor and RKey used is\r\nlikely 1:1). Due to this consideration, we used the Rkey variable while clustering attacks together and attributing\r\nthem to specific threat actor.\r\nThe Provider Operator demonstrates notable efforts in keeping the more_eggs backdoor updated by fixing bugs\r\nand adding new features: in the last year alone, we observed six different versions in use, from 2.0 to the most\r\nrecent version 5.4. Notably, more_eggs backdoors are also capable of automatically updating themselves to the\r\nlatest version, and even updating the configured Gate variable.\r\nThreat Activity Analysis\r\nThe following section highlights the operations and TTPs of three distinct threat actors that have used the Provider\r\nin the last year: the Cobalt Group, GC01 and GC02.\r\nTimeline analysis\r\nFigure 4 represents the multiple spear phishing campaigns we have attributed to either Cobalt[1] or the Golden\r\nChickens (GC) family during the last year. While all GC campaigns used the Provider, only those attributed to\r\nCobalt in May, June, and on 2 August used the Provider. QuoINT determines the level of confidence based on\r\nboth the reliability of the information processed, and the extent of the analytic techniques adopted during the\r\nanalysis.\r\nOur analysis distinguished three different threat actors based on the following factors:\r\n1. Targeting. Which types of companies the threat actors targeted.\r\n2. Use of the MaaS. How the Provider was used, to what extent, and the configuration requested.\r\n3. Final Payload. What final payload the MaaS delivered.\r\n4. Time of attack. When the threat actor used the Provider\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 5 of 12\n\nFigure 4 — Timeline analysis of attacks conducted by GC family and Cobalt Group\r\nIn May 2018, Cobalt executed three different spear phishing campaigns in between two GC02 campaigns. The\r\nattacks leveraged the same Provider since they used maldocs generated by either VenomKit or Taurus Building\r\nKit, more_eggs, and the Provider’s C2 infrastructure. However, as also highlighted by researchers, the attacks\r\npresented key differences based on (a) the targeting; (b) the attack vector, and; ( c) the more_eggs configuration.\r\nFigure 4 also shows that the Cobalt group ceased to use the Provider after the campaign on 2 August, and then\r\nstarted to consistently use different malware and infrastructure.\r\nTactics, Techniques, and Procedures\r\nFigure 5 details the TTPs we observed during all the attacks that leveraged the Provider.\r\nFigure 5 — Cobalt and GC campaigns using the Provider\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 6 of 12\n\n1. Delivery. Each campaign began with a spear phishing email, but each presented differences depending on the\r\nthreat actor behind the attack:\r\nGC threat actors used either compromised or spoofed email addresses. Furthermore, GC01 targeted\r\ncompanies and organizations operating in the financial industry mainly in Europe, Africa, and Asia.\r\nDifferently, GC02 indiscriminately targeted companies and organizations in at least India and the United\r\nStates.\r\nCobalt also used compromised addresses but only in three attacks. The other 12 spear phishing emails were\r\nsent from domain names previously registered by them, imitating a specific organization. Registration of\r\nlook-alike domains is a common technique used by Cobalt Group. Lastly, all Cobalt campaigns targeted\r\nfinancial institutions and organizations mainly in Europe, Asia and Middle East.\r\n2. Exploitation I (Optional). Both threat actor groups used a non-malicious PDF, luring the user to click on the\r\ncontained link in order to download the maldoc. The attackers used a technique known as Google Redirector\r\nwhich consists of appending the malicious URL at the end of a Google logout URL. By doing this, the user will\r\nfirst visit the legit Google logout page and then automatically be redirected to the final URL, triggering the\r\ndownload of the malicious document.\r\nGC01 always used this technique. GC02 used this technique in all but one campaign (10 July), which is\r\none reason why we assessed such attribution with low confidence.\r\nCobalt only used this technique two times, during the campaigns of 7 and 29 June.\r\nIt is not clear to us if the Provider Operator offers the non-malicious PDF (with Google Redirector technique)\r\ndirectly or recommends the use of a third-party kit. To note, we are aware of attacks in the wild using this\r\ntechnique, but without relying on the Provider altogether.\r\n3. Exploitation II — Getting the Maldoc. The user downloads either a macro-weaponized Word document created\r\nby Taurus Builder Kit, or a malicious RTF created by VenomKit. Successful execution of the maldocs initiates the\r\ndownload of additional batch scripts and then the ultimate download of the more_eggs backdoor.\r\nGC01 and GC02 used newer more_eggs versions: 3.0, 4.2, 4.4, 5.2 and 5.4. GC02 used the variable\r\nResearchers assigned with the value “We are not cobalt gang, stop associating us with such skids!“.\r\nCobalt Group only used more_eggs versions 2.0, having a specific command named via_x. This command\r\nis used to execute additional executables via cmd.exe. For those campaigns that were not using the non-malicious PDF attack vector, the victims got the downloader through either browsing a link included in the\r\nemail body, or directly through the email attachment.\r\n4. C2 I — Getting the Backdoor. The maldoc retrieves more_eggs from a remote location and executes it. Next,\r\nthe backdoor starts beaconing to the C2 defined in the Gate variable.\r\n5. C2 II — Getting the Final Payload. Once the threat actor (or the Provider Operator) determines that the infected\r\nsystem is of interest, the final payload is eventually pushed and executed. To note, we were not always able to get\r\nthe final payload because the more_eggs C2 normally has a short lifetime. However, we were able to observe the\r\nfollowing different payloads being distributed by the different threat actors:\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 7 of 12\n\nCampaigns attributed to GC01 resulted in the download of three different RATs: Netwire, Remcos, and\r\nRevenge.\r\nCampaigns attributed to Cobalt Group resulted in the download of either the CobInt backdoor, or the\r\nCobalt Strike beacon. So far, CobInt is a backdoor that was only observed in Cobalt Group campaigns,\r\nwhile Cobalt Strike is a notorious attack framework used to execute Red Team exercises. We consider the\r\nuse of CobInt and Cobalt Strike as a final payload a strong indicator while attributing attacks to the Cobalt\r\nGroup.\r\nConclusion\r\nIn general, the continued adoption of threat actors leveraging MaaS plays two roles in the cyber threat landscape:\r\n(a) it enables less sophisticated actors to execute attack campaigns against high value targets, which may\r\notherwise be out of scope due to the potentially multi-layer perimeter defenses, and; (b) it creates a cluster of\r\ntechnical indicators from the same infrastructure that complicates attribution efforts. During our analysis, we\r\nidentified three threat actors utilizing one particular MaaS which has operated for almost two years, proving its\r\nsuccess and profitability. As a result, this scenario of multiple actors using the same MaaS further corroborates\r\nwhy attribution of campaigns incorporating aspects of MaaS becomes more complex to distinguish due to the\r\npresumable overlap in technical indicators.\r\nQuoINT continues to track the activity of these threat actors to help our customers both identify and thwart\r\npotential attacks against their environments.\r\nOur Intelligence Assessment will also cover the following points:\r\nMore information about the Provider, its Operator, and the services advertised:\r\nAssessment on current and prospected capabilities of the Provider\r\nIn depth analysis of each spear phishing campaign covered\r\nFull IoC list per Kit, TA, and campaign\r\nRecommended Course of Actions\r\nMITRE ATT\u0026CK mapping\r\nYou can request it here.\r\n[1] To note, we only included in the timeline those campaigns attributed to Cobalt group that used the Provider or\r\noccurred near or in the same month of GC’s activities. Hence, we excluded Cobalt’s activities occurring in\r\nJanuary, February, and March 2018. Additionally, this reporting only includes intelligence obtained until October\r\n2018.\r\nIndicators of Compromise\r\nGC01\r\nEmail Subjects:\r\nPayment Details REF # 18110486098\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 8 of 12\n\nPayment Details REF # 18110486098\r\nRe: Payment Ref 34981***** receive problem\r\nRe: Bank query / S-170526–005399\r\nAmendment/Cancellation\r\nFund Transfer 08-October-2018\r\nConfirmations on October 16, 2018\r\nconfirmation-16003907\r\nEmail Attachments (Not-Malicious PDF with Google Redirector)\r\n444c63bb794abe3d2b524e0cb2c8dcc174279b23b1bce949a7125df9fab25c1c\r\n1c1a6bb0937c454eb397495eea034e00d1f7cf4e77481a04439afbc5b3503396\r\n988d430ce0e9f19634cf7955eac6eb03e3b7774b788010c2a9742b38016d1ebf\r\n1d0aae6cff1f7a772fac67b74a39904b8b9da46484b4ae8b621a6566f7761d16\r\n57f65ecb239833e5a4b2441e3a2daf3513356d45e1d5c311baeb31f4d503703e\r\n852f11e5131d3dab9812fd8ce3cd94c1333904f38713ff959f980a168ef0d4ce\r\nGoogle Redirector links\r\nhxxps://appengine[.]google[.]com/_ah/logout?\r\ncontinue=https%3A%2F%2Fsafesecurefiles[.]com%2Fdoc041791[.]pdf\r\nhxxps://appengine[.]google[.]com/_ah/logout?\r\ncontinue=https%3A%2F%2Falotile[.]biz%2FDocument092018[.]doc\r\nhxxps://appengine[.]google[.]com/_ah/logout?\r\ncontinue=https%3A%2F%2Ffundsxe[.]com%2FDocument09202018[.]doc\r\nhxxps://appengine[.]google[.]com/_ah/logout?\r\ncontinue=https%3A%2F%2Ffundswp[.]com%2FDocument082018[.]doc\r\nhxxps://appengine[.]google[.]com/_ah/logout?continue=https%3A%2F%2Ftransef[.]biz%2FDoc102018[.]doc\r\nhxxps://appengine[.]google[.]com/_ah/logout?\r\ncontinue=https%3A%2F%2Ffundsxe[.]com%2FDocument0922018[.]doc\r\nLanding Page\r\nhxxps://safesecurefiles[.]com/doc041791[.]pdf\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 9 of 12\n\nhxxps://alotile[.]biz/Document092018[.]doc\r\nhxxps://fundsxe[.]com/Document09202018[.]doc\r\nhxxps://fundswp[.]com/Document082018[.]doc\r\nhxxps://transef[.]biz/Doc102018[.]doc\r\nhxxps://fundsxe[.]com/Document0922018[.]doc\r\nMaldocs\r\n19dc9b93870ddc3beb7fdeea2980c95edc489040e39381d89d0dfe0a825a1570\r\n020ba5a273c0992d62faa05144aed7f174af64c836bf82009ada46f1ce3b6eee\r\n07a3355f81ff69a197c792847d0783bfc336181d66d3a36e6b548d0dbd9f5a9a\r\n161ba501b4ea6f7c2c8d224e55e566fef95064e1ed059d8287bc07e790f740e8\r\n19dc9b93870ddc3beb7fdeea2980c95edc489040e39381d89d0dfe0a825a1570\r\ndc8425f8c966708b1a3c26f0545664ccbf853852af401b91ae7f29d351e2649c\r\ndc8425f8c966708b1a3c26f0545664ccbf853852af401b91ae7f29d351e2649c\r\nGC02\r\nEmail Subjects:\r\nContract April\r\nDescription of my complaint about your service\r\nEmail Attachments (Not-Malicious PDF with Google Redirector)\r\n45310fcc9f9ef367f16bed4c4ba4c51d7eb72550082cd572f6a5636227514d70\r\ndf18e997a2f755159f0753c4e69a45764f746657b782f6d3c878afb8befe2b69\r\nGoogle Redirector links\r\nhxxps://appengine.googlecom/_ah/logout?continue=hxxps://cloud.pallets32[.]com/Doc00581691.pdf\r\nhxxps://appenginegooglecom/_ah/logout?continue=hxxps://cloudpallets32[.]com/Doc00581951pdf\r\nhxxps://appengine.google.com/_ah/logout?continue=hxxps://mail.halcyonih[.]com/uploads/doc004718538.pdf\r\nLanding Page\r\nhxxps://cloud.pallets32[.]com/Doc00581691.pdf\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 10 of 12\n\nhxxps://cloudpallets32[.]com/Doc00581951.pdf\r\nhxxps://mail.halcyonih[.]com/uploads/doc004718538.pdf\r\nMaldocs\r\n476c9d4383505429c10c31fb72f5218b3b42d985a2b46a0de62fd6ec5d08eebf\r\n27ec680a57b658d0e63a2b209f407253b4d8904ea025b3ef7c544d98d5798356\r\na1f3388314c4abd7b1d3ad2aeb863c9c40a56bf438c7a2b71cbcff384d7e7ded\r\nGC Maas C2 infrastructure\r\noutlooklive.org[.]kz\r\nmail.yahoo.org[.]kz\r\napi.outlook[.]kz\r\nnl.web-cdn[.]kz\r\napi.toshiba.org[.]kz\r\napi.outlook[.]kz\r\napi.fujitsu.org[.]kz\r\napi.asus.org[.]kz\r\napi.miria[.]kz\r\nww3.cloudfront.org[.]kz\r\nwebmail.cloudfront.com[.]kz\r\nmail.halcyonih[.]com\r\ncloudpallets32[.]com\r\ncontents[.]bz\r\nsafesecurefiles[.]com\r\nusasecurefiles[.]com\r\nfreecloud[.]biz\r\nalotile[.]biz\r\nfundswp[.]com\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 11 of 12\n\ntransef[.]biz\r\nfundsxe[.]com\r\ndocument[.]cdn-one[.]biz\r\nSource: https://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-usin\r\ng/\r\nhttps://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/" ], "report_names": [ "golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434678, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18fd1812318e184807eb15bc8e971217a1fc0ab6.pdf", "text": "https://archive.orkl.eu/18fd1812318e184807eb15bc8e971217a1fc0ab6.txt", "img": "https://archive.orkl.eu/18fd1812318e184807eb15bc8e971217a1fc0ab6.jpg" } }