{ "id": "a4e09012-5f02-47f8-b843-21976d6c3309", "created_at": "2026-04-06T00:06:15.638122Z", "updated_at": "2026-04-10T03:36:08.347051Z", "deleted_at": null, "sha1_hash": "4ab7a2f9c30fb9c02d26380d99067802eaf9b009", "title": "Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 845328, "plain_text": "Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake\r\nJob Offers | Proofpoint US\r\nBy February 21, 2019 Proofpoint Threat Insight Team\r\nPublished: 2019-02-21 · Archived: 2026-04-02 11:38:47 UTC\r\nOverview\r\nSince the middle of 2018, Proofpoint has been tracking campaigns abusing legitimate messaging services, offering\r\nfake jobs, and repeatedly following up via email to ultimately deliver the More_eggs backdoor. These campaigns\r\nprimarily targeted US companies in various industries including retail, entertainment, pharmacy, and others that\r\ncommonly employ online payments, such as online shopping portals.\r\nThe actor sending these campaigns attempts to establish rapport with potential victims by abusing LinkedIn’s\r\ndirect messaging service. In direct follow-up emails, the actor pretends to be from a staffing company with an\r\noffer of employment. In many cases, the actor supports the campaigns with fake websites that impersonate\r\nlegitimate staffing companies. These websites, however, host the malicious payloads. In other cases, the actor uses\r\na range of malicious attachments to distribute More_eggs.\r\nWe also believe that the same actor recently sent related campaigns, first noted by Brian Krebs, targeting anti-money laundering officers at financial institutions [1].\r\nDelivery\r\nWe have observed a number of variations among the campaigns, but most share common characteristics. While\r\nnot exhaustive, the general flow as well as specific examples of these attacks are described below.\r\nInitially the actor uses a fraudulent, but legitimately created LinkedIn profile to initiate contact with individuals at\r\nthe targeted company by sending invitations with a short message (Figure 1). This appears as a benign email with\r\nthe subject “Hi [Name], please add me to your professional network”.\r\nhttps://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nPage 1 of 9\n\nFigure 1: Example of initial message in which attackers abuse LinkedIn messaging.\r\nWithin a week, the actor sends a direct email to the target’s work address reminding the recipient about the prior\r\nattempt to communicate on LinkedIn (Figure 2). It uses the target’s professional title, as it appears on LinkedIn, as\r\nthe subject, and often suggests the recipient click on a link to see the noted job description. In other cases, this\r\nactor used an attached PDF with embedded URLs or other malicious attachments.\r\nhttps://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nPage 2 of 9\n\nFigure 2: Example follow up email to the target’s work address, with a malicious URL.\r\nThe URLs link to a landing page that spoofs a real talent and staffing management company, using stolen\r\nbranding to enhance the legitimacy of the campaigns (Figure 3). The landing page initiates a download of a\r\nMicrosoft Word file (Figure 4) with malicious macros created with Taurus Builder (described below). If the\r\nrecipient enables macros, the “More_eggs” payload will be downloaded and executed. In other cases, the landing\r\npage may initiate the download of a JScript loader instead, but this intermediate malware still ultimately results in\r\nthe delivery of More_eggs.\r\nhttps://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nPage 3 of 9\n\nFigure 3: Example of a landing page for the URL included in email using stolen branding and a lookalike domain\r\nfor a talent management agency. This one specifically initiates a download of a malicious Microsoft Word\r\ndocument.\r\nFigure 4: Example malicious Microsoft Word document that uses macros to download More_eggs.\r\nhttps://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nPage 4 of 9\n\nAs noted, some campaigns also used malicious attachments instead of URLs in the email. Figure 5 shows an\r\nexample of one such attachment, a PDF with a link to a spoofed landing page like that shown in Figure 3.\r\nFigure 5: Example PDF attachment  that contains a malicious URL.\r\nVariations\r\nThese campaigns demonstrated considerable variability, with the actor frequently changing delivery methods and\r\nmore. Examples of the types of techniques used by the actor to deliver the final More_eggs payload include:\r\nURL linking to a landing page that initiates the download for an intermediate JScript loader or Microsoft\r\nWord document with macros or exploits\r\nhttps://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nPage 5 of 9\n\nURL shortener redirecting to the same landing page\r\nPDF attachment with a URL linking to the same landing page\r\nPassword-protected Microsoft Word attachment with macros that download More_eggs\r\nCompletely benign emails without a malicious attachment or URL attempting to further establish rapport\r\n(Figure 6)\r\nFigure 6: Example of a benign email designed to establish rapport with potential victims\r\nTools\r\nThis actor uses a variety of tools to distribute malware. We briefly describe three such tools below.\r\nTaurus Builder\r\nWe use this name to describe a tool used to create malicious documents. We believe Taurus builder was purchased\r\non underground crime forums. Notably, documents created with this builder use the CMSTP bypass as described\r\nin [2]. Both Palo Alto Networks [3] and QuoScient [4] have previously described documents created with this kit.\r\nVenomKit\r\nWe use this name to describe documents generated by a builder purchased from the same seller as Taurus builder.\r\nDepending on the variant it may exploit CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2017-11882,\r\nCVE-2018-0802, and/or CVE-2018-8174. Notably, VenomKit often also uses the same CMSTP bypass as Taurus.\r\nDocuments from this kit have previously been discussed by Quoscient [4].\r\nMore_eggs\r\nMore_eggs is malware written in JScript used in these campaigns and others. It is often used as a downloader. In\r\naddition to its ability to download additional payloads, More_eggs has extensive capabilities to profile the infected\r\nhttps://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nPage 6 of 9\n\nmachine. The malware was first documented by Trend Micro [5].\r\nOverlaps with Anti-Money Laundering Campaign\r\nBrian Krebs wrote about a related campaign that targeted anti-money laundering officers at financial institutions\r\nthat we believe may have been sent by the same actor. Although targeting and the final payload were different in\r\nthe campaign he described, key similarities to campaigns describe above included:\r\nThe use of a similar PDF email attachment to the PDFs used in the Fake Jobs campaigns\r\nThe PDFs of both the anti-money laundering campaign and the Fake Jobs campaigns at one point included\r\nURLs hosted on the same domain\r\nLarge Follow-up Spam Campaign\r\nNote: As we were finalizing this report we observed a larger than usual campaign from this actor on Feb 21, 2019,\r\nfrom random senders, with a malicious URL in the email.\r\nConclusion\r\nAs threat actors continue to turn away from very large-scale “spray and pray” campaigns and focus on persistent\r\ninfections with downloaders, RATs, bankers, and other malware, increasingly sophisticated social engineering and\r\nstealthy malware are making their way into a range of campaigns. This actor provides compelling examples of\r\nthese new approaches, using LinkedIn scraping, multi-vector and multistep contacts with recipients, personalized\r\nlures, and varied attack techniques to distribute the More_eggs downloader, which in turn can distribute the\r\nmalware of their choice based on system profiles transmitted to the threat actor. In response to the increasing\r\neffectiveness of layered defenses and end user education efforts, we can expect more threat actors to adopt\r\napproaches that improve the effectiveness of their lures and increase the likelihood of high-quality infections.\r\nNote: We have informed all affected parties about the abuse of their services and brands in these campaigns.\r\nReferences\r\n[1]https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/\r\n[2]https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/\r\n[3]https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\n[4]https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648\r\n[5]https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nPage 7 of 9\n\nIOC IOC Type Description\r\ninterrafcu[.]com Domain\r\nLanding Page\r\nDomain\r\nusstaffing[.]services Domain\r\nLanding Page\r\nDomain\r\nedb39c4eb28cf526f1e606365cdef009cb9aa8ba99feb448db615326bf495042 SHA256\r\nExample\r\nTaurus Builder\r\nDocument\r\nhxxp://204.155.30[.]109/3521.txt URL\r\nDocument\r\nPayload\r\nd39cb07e97fd91e75c51f75ccef1a8d7ce8ec8c951943501f981ce98d6319e01 SHA256\r\nScriptlet\r\nleading to\r\nMore_eggs\r\n2bca33c8be6483aec5cbb29d18c5f626a86205fca92191468b8b1032d38aebea SHA256\r\nExample\r\nVenomKit\r\nDocument\r\n2470ac1632546ecf5c9c9d93c6dc088253ba682ba9cf19ae6984b6cee3f8e2b5 SHA256\r\nExample Code\r\nSigned JS\r\nLoader\r\n73defd8066549e5b09c509064bc5bd29e77eca2c18d114c0bcf3dfa1cefe6939 SHA256\r\nExample JS\r\nLoader\r\nmail[.]rediffmail[.]kz HostName\r\nMore_Eggs\r\nC\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nPage 8 of 9\n\nonlinemail[.]kz HostName\r\nMore_Eggs\r\nC\u0026C\r\napi[.]cloudservers[.]kz HostName\r\nMore_Eggs\r\nC\u0026C\r\nsecure[.]cloudserv[.]ink HostName\r\nMore_Eggs\r\nC\u0026C\r\ntonsandmillions[.]com HostName\r\nMore_Eggs\r\nC\u0026C\r\ncontactlistsagregator[.]com HostName\r\nMore_Eggs\r\nC\u0026C\r\nET and ETPRO Suricata/Snort Signatures\r\n2832245 | ETPRO CURRENT_EVENTS Possible More_eggs Connectivity Check\r\n2834137 | ETPRO TROJAN Observed Malicious SSL Cert (More_eggs CnC)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nhttps://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers" ], "report_names": [ "fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433975, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4ab7a2f9c30fb9c02d26380d99067802eaf9b009.pdf", "text": "https://archive.orkl.eu/4ab7a2f9c30fb9c02d26380d99067802eaf9b009.txt", "img": "https://archive.orkl.eu/4ab7a2f9c30fb9c02d26380d99067802eaf9b009.jpg" } }