Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 18:08:11 UTC
 Tool: More_eggs
Names
More_eggs
SpicyOmelette
Terra Loader
SKID
Category Malware
Type Backdoor, Downloader
Description
More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to
its C&C server and retrieve tasks to carry out, some of which are:
- d&exec = download and execute PE file
- gtfo = delete files/startup entries and terminate
- more_eggs = download additional/new scripts
- more_onion = run new script and terminate current script
- more_power = run command shell commands
Information

lures>
MITRE ATT&CK Malpedia AlienVault OTX Last change to this tool card: 27 June 2025
Download this tool card in JSON format
All groups using tool More_eggs
Changed Name Country Observed
APT groups
 Cobalt Group 2016-Oct 2019
 Evilnum [Unknown] 2018-2022
 FIN6, Skeleton Spider [Unknown] 2015-Oct 2021
 Venom Spider, Golden Chickens 2017-Jan 2025
4 groups listed (4 APT, 0 other, 0 unknown)
↑
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a23df665-46df-4134-8375-0b05c14f617b
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a23df665-46df-4134-8375-0b05c14f617b
Page 2 of 2