{ "id": "1d0f1edf-0fd4-47cd-ada7-7b9ba31bf5c3", "created_at": "2026-04-06T00:12:45.806498Z", "updated_at": "2026-04-10T03:36:08.265637Z", "deleted_at": null, "sha1_hash": "2d13f4a639e56b6b2246e5a81773d3627a423103", "title": "Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes Infecting Them with Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88650, "plain_text": "Hackers Spearphish Corporate Hiring Managers with Poisoned\r\nResumes Infecting Them with Malware\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 17:31:44 UTC\r\nMore_Eggs Came Calling for Easter\r\neSentire’s security research team, the Threat Response Unit (TRU), has discovered that the stealthy more_eggs\r\nmalware has re-emerged once again this year infecting corporate entities. More_eggs is malicious software\r\ncontaining several components engineered to steal valuable credentials, including usernames and passwords for\r\ncorporate bank accounts, email accounts and IT administrator accounts, among others.\r\nTRU has uncovered a more_eggs phishing campaign where hackers are posing as job applicants and luring\r\nCorporate Hiring Managers into downloading what they believe are resumes from job applicants. However, the\r\nbogus resumes contain the more_eggs malware.\r\nThus far, TRU has discovered and shut down four separate security incidents relating to the current more_eggs\r\ncampaign. Three of them occurred at the end of March, and the organizations attacked include a U.S.-based\r\naerospace/defense company; a large UK-based CPA firm; an international business law firm based out of Canada;\r\nand a national Canadian staffing agency. TRU has produced a full report outlining their findings and how best to\r\nprotect against the current more_eggs threat.\r\nKey Takeaways\r\neSentire's Threat Response Unit (TRU) research team has discovered a new threat campaign using the\r\nmore_eggs malware.\r\nMore_eggs is a stealthy, lethal malware that contains components engineered to steal usernames and\r\npasswords for corporate bank accounts, email accounts and IT administrator accounts, among others.\r\nThe current more_eggs campaign involves hackers posing as job applicants and luring Corporate Hiring\r\nManagers into downloading what they believe are resumes from job applicants. In actuality, the resumes\r\ncontain the more_eggs malware.\r\nTRU has detected and shut down four different more_eggs security incidents recently. Three of them\r\noccurred at the end of March, and they all involve the new variant of more_eggs. The organizations\r\nattacked include a U.S.-based aerospace/defense company that designs, develops and provides maintenance\r\nrepair for airline components; a large UK-based CPA firm; an international business law firm based out of\r\nCanada; and a national Canadian staffing agency.\r\nOne year ago, TRU also discovered a spearphishing campaign infecting victims with more_eggs. However,\r\nduring that operation, the threat actors were targeting professionals on LinkedIn who were looking for jobs,\r\nas opposed to Hiring Managers looking for job candidates. The hackers sent the job seekers .zip files\r\ndisguised as job offers. When the targets opened the zip file, it led to the installation of more_eggs.\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 1 of 12\n\nResearch Report\r\nA more_eggs malware campaign has appeared, just as it did last year during the Easter season. eSentire’s Threat\r\nResponse Unit (TRU) security research team has discovered a phishing campaign where hackers are posing as job\r\napplicants and luring Corporate Hiring Managers into downloading what they believe are resumes from job\r\napplicants. However, the bogus resumes contain the more_eggs malware.\r\nMore_eggs is a stealthy, lethal malware that has several components engineered to steal valuable credentials, such\r\nas usernames and passwords for corporate bank accounts, email accounts and IT administrator accounts, among\r\nothers. Once accessed, the hackers exfiltrate data from the victim organization, spread to other computer hosts via\r\nTeamViewer, and encrypt files. The Golden Chickens group (aka Venom Spider) is believed to be the threat\r\noperators behind more_eggs. Interestingly, several top financial cybercrime groups, including the infamous FIN6\r\ngang, Evilnum and the Cobalt Group have employed the more_eggs malware in their attack campaigns.\r\nThe Current More_Eggs Operation – a Déjà Vu of the 2021 LinkedIn Campaign?\r\nIronically, around the same time last year in April 2021, TRU discovered a spearphishing campaign which was\r\ninfecting victims with more_eggs. However, during that campaign, rather than posing as hopeful job candidates\r\nsending a poisoned resume, the threat actors targeted professionals on LinkedIn who were looking for jobs. The\r\nhackers sent the job seekers .zip files disguised as job offers. When the targets opened the zip file, it led to the\r\ninstallation of more_eggs. The threat actors behind the campaign tried enticing the targets into clicking on the zip\r\nfile by naming the file after the job seeker’s current job title and adding “position” at the end.\r\nFor example, if the LinkedIn member’s job is listed as ‘Senior Account Executive—International Freight,’ the\r\nmalicious zip file would be titled ‘Senior Account Executive — International Freight position.’ Upon opening the\r\nfake job offer, the victim unwittingly initiated the installation of more_eggs.\r\neSentire’s TRU Disrupts Attacks Against an Aerospace/Defense Company,\r\nInternational Law Firm, International CPA Firm and Staffing Agency\r\nThus far, in the current more_eggs campaign, the eSentire TRU team has discovered and shut down four separate\r\nsecurity incidents. Three of them occurred at the end of March, and they all involve the new variant of more_eggs.\r\nThe organizations attacked include a U.S.-based aerospace/defense company that designs, develops and provides\r\nmaintenance repair for airline components; a large UK-based CPA firm; an international business law firm based\r\nout of Canada; and a national Canadian staffing agency.\r\nThe threat actors behind the current more_ eggs campaign don´t appear to be randomly targeting companies. For\r\nexample, the CPA firm and the staffing agency, both list a job posting on Indeed.com and LinkedIn which match\r\nthe title of the resume each hiring manager received. The aerospace/defense company also had a job listed on zip\r\nRecruiter.com which matches the title of the fake resume received.\r\nWhat are the Hackers After?\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 2 of 12\n\nSince these more_eggs attacks were disrupted, the TRU team cannot know with certainty what the end game is for\r\nthis operation or what threat group is behind these attacks. What we do know is that this current activity\r\ndemonstrates a role-reversal from last year’s more_eggs LinkedIn campaign. We also know that the more_eggs\r\nMalware-as-a-Service (MaaS) is known to be utilized by the very capable FIN6, Evilnum and Cobalt\r\ncybercriminals.\r\nOf course, for a threat group to get a foothold into the IT environments of an aerospace/ defense company, an\r\ninternational law firm, an international CPA firm and a national corporate staffing agency could be very lucrative.\r\nSuccessfully infecting a corporate employee with the more_eggs malware could potentially enable a threat actor(s)\r\nto commit a variety of cybercrimes including deploying ransomware, stealing intellectual property, stealing\r\ncredentials to corporate bank accounts, or committing business email compromise, among others.\r\nConnection Between FIN6, Evilnum, Cobalt Group and More_Eggs\r\nFIN6 - FIN6 is a financial cybercrime group that primarily steals payment card data and sells it on underground\r\nmarketplaces. The FIN6 group first gained notoriety in 2014 for their attacks against point-of-sale (POS) machines\r\nin retail outlets and hospitality companies. Continuing their quest for credit and debit card data, they later moved\r\non to targeting e-Commerce companies and stole their credit card data via online skimming. The FIN6 threat\r\ngroup has also been known to infect some of their victims with ransomware.\r\nInterestingly, intelligence analysts with Visa reported in February2019 that at the end of 2018, FIN6 was\r\nspecifically targeting numerous e-Commerce companies’ payment servers and using malicious documents to\r\ninfect their targets with more_eggs as the initial phase of their attack.\r\nThat activity mirrors a threat campaign that was reported separately in February 2019 by ProofPoint researchers.\r\nIn these incidents, threat actors were observed attacking retail, entertainment and pharmaceutical companies’\r\nonline payments systems and using malicious documents, laden with more_eggs, to target the companies’\r\nemployees. The threat actors sent fake job offers to the employees, cleverly using the job title listed on their\r\nLinkedIn profiles, in their communications. The campaigns reported in February 2019 by Visa and ProofPoint\r\ncould be the same operation or, they could be two separate campaigns. However, what we do know is that the\r\ntargets (eCommerce companies’ payment systems) and tools (more_eggs) were used in both scams.\r\nLater in August 2019, the FIN6 operators launched another malicious campaign, and researchers believe with this\r\noperation FIN6 was actively going after multinational organizations. Similar to the February 2019 campaign\r\nlaunched against the retail, entertainment, and pharmaceutical companies; employees were spearphished with fake\r\njob offers. According to security researchers, to gain access to victim environments, the threat actor began by\r\ntargeting handpicked employees using LinkedIn messaging and email, advertising fake jobs to lure recipients into\r\nchecking into the supposed offers.\r\nBetween the end of 2018 and April 2021, there have been three distinct more_eggs LinkedIn campaigns using the\r\nsame Modus Operandi. Each campaign targeted corporate employees, utilized their LinkedIn profile, and then\r\nsocial engineered them with bogus job offers, which lead to the more_eggs malware.\r\nEvilnum - The Evilnum cybercrime group is best known for compromising financial technology companies,\r\nwhich are companies that provide stock trading platforms and tools. Their target is financial information about the\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 3 of 12\n\ntargeted FINTECH companies and their customers. They target items such as spreadsheets and documents with\r\ncustomer lists, investments and trading operations and credentials for trading software/platforms and software.The\r\nEvilnum group is also known to spearphish employees of the companies they are targeting and enclose malicious\r\nzip files. If executed, the employees get hit with the more_eggs backdoor, along with other malware.\r\nCobalt Group - The Cobalt Group is also known to go after financial companies, and it has repeatedly used the\r\nmore_eggs backdoor in their attacks.\r\nThe Interworkings of More_Eggs\r\nMore_eggs is a sophisticated suite of malware components. One of those components is VenomLink (a component\r\nused to trick the victim into installing TerraLoader). TerraLoader is an intermediate component used to install\r\nnumerous modules designed to take malicious actions such as credential theft, lateral movement, and file\r\nencryption throughout a victim’s IT network. A complete analysis of the 2020 version of more_eggs was\r\nconducted by Quo Intelligence, who broke the malware into several modules. Here is a full breakdown:\r\nVenomLNK is a poisoned LNK file. Windows uses LNK files to automate program execution. More_eggs\r\nuses a maliciously-written LNK file to execute TerraLoader by tricking the user into opening what they\r\nthink is a document.\r\nTerraLoader loads the other modules from VenomLNK.\r\nTerraPreter provides a Meterpreter (a Metasploit attack payload) shell in memory.\r\nTerraStealer is an info stealing module used to exfiltrate sensitive data.\r\nTerraTV allows threat actors to hijack TeamViewer for lateral movement.\r\nTerraCrypt is a ransomware plugin for PureLocker ransomware, aka CR1 Ransomware, a lesser-known\r\nransomware.\r\nThe social engineering method for this current more_eggs campaign consisted of disguising a zipped copy of the\r\nVenomLNK malware as a job applicant’s resume. A benign PDF resume is included as well, which serves as a\r\ndecoy resume, while more_eggs installs TerraLoader.\r\nAs with previous more_eggs variants observed by TRU, the malware abuses legitimate Windows processes to\r\nevade detection, alongside a decoy document to trick users. With the incident involving the accounting firm, an\r\nemployee of the firm received what they thought was a candidate’s resume, when in actuality the resume was the\r\nVenomLNK malware. Once VenomLNK was executed, it proceeded to execute TerraLoader so that TerraLoader\r\ncould then load various information stealing and intrusion modules of the more_eggs malware suite. With this\r\ncampaign however, there are two notable differences:\r\nAs stated earlier, rather than targeting hopeful candidates looking for work, the hackers are targeting\r\nbusinesses looking for employees.\r\nIn place of the previously abused Windows process, cmstp.exe – which manages network connections –\r\nmore_eggs is abusing ie4uinit.exe, another Windows Process, to load its malicious plugins.\r\nWhat’s New with More_Eggs?\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 4 of 12\n\nThe current threat campaign utilizes several similar features TRU observed in the 2021 more_eggs LinkedIn\r\noperation including: the VenomLNK module, including a decoy document, and .lnk file, and multi-phase\r\nexecution through writing and reading .txt files (which turned out to be .xml files with JavaScript contents upon\r\ninspection). The TerraLoader equivalent, however, abuses ie4uinit.exe instead of cmstsp.exe, eventually leading to\r\nthe abuse of msxsl.exe as we reported in April 2021.\r\nObservations of More_Eggs Operation from Keegan Keplinger, research and\r\nreporting lead with eSentire’s Threat Response Unit (TRU) security team\r\n“Anti-Virus(AV) is not enough to protect employees and home users from cyber threats. Because malware like\r\nmore_eggs takes the so-called fileless approach to evade AV, there is no malicious executable for AV to detect.\r\nRather, more_eggs achieves execution by passing malicious code to legitimate windows processes and letting\r\nthose windows processes do the work for them.”\r\n“We tend to see threat campaigns, involving the sophisticated and versatile more_eggs malware, just a few times a\r\nyear compared to some other threats. In addition to the spearphishing component, this indicates to me that threat\r\nactors, using the more_eggs service, are selective and patient.”\r\n“This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake\r\nresumes instead of targeting jobseekers with fake job offers.”\r\n“The threat actors behind more_eggs use a scalable, spearphishing approach that weaponizes expected\r\ncommunications, such as resumes, that match a hiring manager´s expectations or job offers, targeting hopeful\r\ncandidates, that match their current or past job titles.”\r\nRecommendations for Protecting Against More_Eggs\r\nSecurity Awareness Training for All Employees. Security Awareness training should be mandated for all\r\ncompany employees. The training should ensure that employees:\r\nAvoid downloading and executing files from unverified sources. For example, be wary of Word and\r\nExcel documents sent from an unknown source or acquired from the Internet that prompts you to\r\n‘Enable Macros’.\r\nAvoid free versions of paid software.\r\nAlways inspect the full URL before downloading files to ensure it matches the source (e.g.,\r\nMicrosoft Team should come from a Microsoft domain).\r\nInspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a\r\nPDF or office document.\r\nEnsure standard procedures are in place for employees to submit potentially malicious content for\r\nreview\r\nAnti-virus isn’t enough. Malware that abuses LOLBINs bypasses binary detection approaches. Therefore,\r\nEndpoint Detection and Response (EDR) agents need to be installed on all hosts. An EDR solution is a\r\nnecessary technology for detecting threats such as more_eggs ,and EDR agents must be continuously\r\nmonitored and updated with the evolving threat landscape. If not, then critical alerts will not be triaged and\r\ninvestigated. Managed Detection and Response (MDR) providers offer this service. Robust and\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 5 of 12\n\ncomprehensive MDR services require an AI-powered Extended Detection and Response (XDR) technology\r\nplatform so that the hundreds of daily security signals, generated by an organization’s EDR agents, can be\r\npromptly ingested, analyzed and responded to. Security events which can be resolved through an\r\nautomated response are processed, while security events requiring a hands-on response are handled by the\r\nMDR’s cybersecurity analysts and threat hunters.\r\nMonitor the Threat Landscape. Organizations need relevant threat intelligence, and it must be actioned\r\nin a timely fashion. Additionally, one’s security team needs to be specifically informed about an\r\norganization’s operating environment, working in concert with one’s security provider.\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services to disrupt threats before they impact your business. Want to learn more about\r\nhow we protect organizations globally? Connect with an eSentire Security Specialist.\r\nGlossary\r\nMore_eggs – a malware suite that includes a social engineering initial access vector (VenomLNK), a plugin\r\nloader (TerraLoader) that loads modules, and functional modules that are capable of infostealing (TerraStealers)\r\nmeterpreter shells (TerraPreter), and evasive lateral movement (TerraTV). See The Interworkings of\r\nMore_Eggs section for more.\r\nInfostealing – infostealing capabilities in malware can be geared towards a variety of information targets such as\r\nconfiguration options (like stealing cookies to simulate the victim’s web sessions), login credentials saved in\r\nbrowsers and files, and credit card information (saved in browsers).\r\nMeterpreter – meterpreter is a pentesting tool that contains a large library of exploits and intrusion tools used for\r\ndifferent purposes including privilege escalation, credential theft, lateral movements, and both local and remote\r\ncode execution.\r\nGolden Chickens – also known as Venom Spider, Golden Chickens has been operating the more_eggs malware-as-a-service since at least 2018.\r\nLOLBINS – stands for Living-Off-The-Land-Binaries and represents a class of Windows processes that can be\r\nabused in malware, such as more_eggs.\r\nPrivilege Escalation – when a threat actor gets higher permissions for an account they’ve compromised or can get\r\naccess to a more powerful account.\r\nLateral Movement – when threat actors can compromise additional, sometimes more powerful assets (such as\r\nExchange Servers or Domain Controllers) in the organization from their initial foothold.\r\nDomain Controllers – A central defining infrastructure in most enterprise networks. The domain controllers help\r\ndefine and manage the internal network and who can access what on it.\r\nIndicators\r\nSHA256\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 6 of 12\n\n0d5b74add9fd68c54d8c7df883fa727d74dacc0bff3c49afd200b914e6051d9a\r\n822e1359b7e7eabc9199a055fd772819176d2e5cae63d0d24787579634d45d42\r\n86680bef3d1e41f369ab60acf8198496a367fbb7183d5f1104230a74d32705b3\r\nd6906cb7f9fb0f9cd12943509a1bb5e9409a4547a18f930b071d5c330e6c97f9\r\n88b0b1d9988fb2a42934f862944be0b32d00cb5e6ffc71e3164fa7c4cacff62d\r\nLOLBIN ingress:\r\nc:/users/\u003cusername\u003e/appdata/roaming/microsoft/msxsl.exe\r\nc:/users/\u003cusername\u003e/appdata/roaming/microsoft/ie4uinit.exe\r\nAccount Discovery:\r\nnet group /domain \"Domain Admins\"\r\nDomain Discovery:\r\nnltest /trusted_domains\r\nJoe’s Sandbox Analysis:\r\nhttps://www.joesandbox.com/analysis/564458/0/html\r\nATT\u0026CK\r\nTactic\r\nID Name Description\r\nExecution T1059.003 Windows Command Shell More_eggs has used cmd.exe for execution.\r\nExecution T1059\r\nCommand and Scripting\r\nInterpreter\r\n...\r\nPrivilege\r\nEscalation\r\nT1546.003\r\nWindows Management\r\nInstrumentation Event\r\nSubscription\r\nENT\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nMore_eggs's payload has been encrypted\r\nwith a key that has the hostname and\r\nprocessor family information appended to\r\nthe end.\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 7 of 12\n\nATT\u0026CK\r\nTactic\r\nID Name Description\r\nDefense\r\nEvasion\r\nT1070.004 File Deletion More_eggs can remove itself from a system.\r\nDefense\r\nEvasion\r\nT1070 Indicator Removal on Host ...\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nMore_eggs will decode malware\r\ncomponents that are then dropped to the\r\nsystem.\r\nDefense\r\nEvasion\r\nT1218.010 Regsvr32\r\nMore_eggs has used regsvr32.exe to execute\r\nthe malicious DLL.\r\nDefense\r\nEvasion\r\nT1218\r\nSigned Binary Proxy\r\nExecution\r\n...\r\nDefense\r\nEvasion\r\nT1220 XSL Script Processing\r\nmsxsl.exe was used to bypass defenses and\r\nto invoke Jscript code from an XSL file.\r\nDefense\r\nEvasion\r\nT1553.002 Code Signing\r\nMore_eggs has used a signed binary\r\nshellcode loader and a signed Dynamic Link\r\nLibrary (DLL) to create a reverse shell.\r\nDefense\r\nEvasion\r\nT1553 Subvert Trust Controls ..\r\nDiscovery T1016.001\r\nInternet Connection\r\nDiscovery\r\nMore_eggs has the capability to gather the\r\nIP address from the victim's machine.\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 8 of 12\n\nATT\u0026CK\r\nTactic\r\nID Name Description\r\nDiscovery T1016\r\nSystem Network\r\nConfiguration Discovery\r\n...\r\nDiscovery T1033\r\nSystem Owner/User\r\nDiscovery\r\nMore_eggs has the capability to gather the\r\nusername from the victim's machine.\r\nDiscovery T1069.002 Domain Groups\r\nnet group /domain \"Domain Admins\" was\r\nused to gather information about domain\r\ngroups\r\nDiscovery T1069 Permission Groups Discovery ...\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nMore_eggs has the capability to gather the\r\nOS version and computer name.\r\nDiscovery T1482 Domain Trust Discovery\r\nnltest /trusted_domains was used to gather\r\ndomain trust information\r\nDiscovery T1518.001 Security Software Discovery\r\nMore_eggs can obtain information on\r\ninstalled anti-malware programs.\r\nDiscovery T1518 Software Discovery ...\r\nCommand\r\nand Control\r\nT1071.001 Web Protocols More_eggs uses HTTPS for C2.\r\nCommand\r\nand Control\r\nT1071 Application Layer Protocol ...\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 9 of 12\n\nATT\u0026CK\r\nTactic\r\nID Name Description\r\nCommand\r\nand Control\r\nT1105 Ingress Tool Transfer\r\nMore_eggs can download and launch\r\nadditional payloads. (msxsl.exe was\r\ndownloaded \u0026 installed)\r\nCommand\r\nand Control\r\nT1132.001 Standard Encoding\r\nMore_eggs has used basE91 encoding,\r\nalong with encryption, for C2\r\ncommunication.\r\nCommand\r\nand Control\r\nT1132 Data Encoding ...\r\nCommand\r\nand Control\r\nT1573.001 Symmetric Cryptography\r\nMore_eggs has used an RC4-based\r\nencryption method for its C2\r\ncommunications.\r\nCommand\r\nand Control\r\nT1573 Encrypted Channel ...\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 10 of 12\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 11 of 12\n\nSource: https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-e\r\nggs-malware\r\nhttps://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware" ], "report_names": [ "hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434365, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d13f4a639e56b6b2246e5a81773d3627a423103.pdf", "text": "https://archive.orkl.eu/2d13f4a639e56b6b2246e5a81773d3627a423103.txt", "img": "https://archive.orkl.eu/2d13f4a639e56b6b2246e5a81773d3627a423103.jpg" } }